Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 / 18.04

In our previous tutorial we showed you how to configure Nginx HTTP with Let’s Encrypt free SSL/TLS certificates to secure your websites…

This post shows you how to configure Apache2 HTTP server with Let’s Encrypt instead so you can use the HTTPS protocol for you sites…

Let’s Encrypt is a free and open source certificate authority (CA) developed by the Internet Security Research Group (ISRG)… It is supported by many big organizations, including Google, Microsoft and a few others.

If you’d like a free SSL/TLS certificate secure your website traffic over HTTPS, then you’re on the right page…The steps below will help you obtain and configure Let’s Encrypt free SSL certificates on Apache2 HTTP server..

With this settings, you can then use HTTPS protocol to secure your domain and website traffic..

This brief tutorial shows students and new users how to get Apache2 HTTP server working with Let’s Encrypt CA on Ubuntu 16.04 / 18.04 LTS servers..

When you’re ready, follow the steps below:

Step 0: Get your Domain Name

Let’s Encrypt works with valid domain and a working server that the domain is pointing to… This setup assumes that your domain name is called and is pointing to your server with IP address

Don’t forget to also make sure www CNAME is pointing to the domain name…. Should look like something below:
<        A       ==========>
www               CNAME    ==========>

Step 1: Install Apache2 HTTP Server

Now that you have a valid domain and pointing to the correct server IP address continue below to setting up Let’s Encrypt….

First install Apache2 server… To do that, run the commands below:

sudo apt update
sudo apt install apache2

After installing Apache2, the commands below can be used to stop, start and enable Apache2 service to always start up with the server boots.

sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service

To test Apache2 setup, open your browser and browse to the server hostname or IP address and you should see Apache2 default test page as shown below….

When you see that, then Apache2 is working as expected..


Apache2 Test Page

Step 2: Configure Apache2 with Your Domain

Now that Apache2 is installed, go and configure it with your domain so that when users type your domain name, Apache2 server should respond…

To do that, create a basic HTML file in Apache2 root directory with a sample content below:

sudo mkdir /var/www/html/

Then inside the folder, create a file called index.html with the content below:

sudo nano /var/www/html/

Copy the content below into the file and save..

<!DOCTYPE html>
    <title> Test Page</title>
         <p>Success! is working</p>

save the file and exit.

Next, run the commands below to give Apache2 user access to the directory…

sudo chown -R www-data: /var/www/html/

When you’re done, create Apache2 server block for the domain… To do that, run the commands below to create a new configuration file for domain…

The file will be called

sudo nano /etc/apache2/sites-available/

Then copy and save the content below into the file and save..

<VirtualHost *:80>
     DocumentRoot /var/www/html/

     ErrorLog ${APACHE_LOG_DIR}/
     CustomLog ${APACHE_LOG_DIR}/ combined


Save the file and exit

Now the the configuration file is created, run the commands below to enable it…

sudo a2ensite

The site should now be enabled and ready to use… but for now, it will only display the basic HTML content we created above…

Step 3: Install and Configure Let’s Encrypt

Now that our Apache2 site is enabled and ready to use, run the commands below to install and configure Let’s Encrypt to secure the Apache2 website…

First install Certbot… Certbot is a fully featured and easy to use tool that can automate the tasks for obtaining and renewing Let’s Encrypt SSL certificates…

To install it, run the commands below:

sudo apt install certbot

After installing Certbot, create a file to for Let’s Encrypt to the Webroot plugin to validate our domain in the ${webroot-path}/.well-known/acme-challenge directory….

To do that, create the directory and give Apache2 access to it…

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

Next, create a well-known challenge file with the configurations below…

sudo nano /etc/apache2/conf-available/well-known.conf

Then copy and paste the content below into the file and save…

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

Save the file and exit

Step 4: Obtain Your Free Certificate

At this point, your domain should be pointing to your server IP… Apache2 HTTP server installed and configured and Certbot installed ready to obtain your certificate…

Before requesting your free certificate, open your  enable Apache2 configurations and modules by running the commands below…

The commands below enable Apache2 SSL, Headers, HTTPS/2 and the well-known configuration file we created above..

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod http2
sudo a2enconf well-known

After enabling the modules and config file above, restart Apache2 server… To do that, run the commands below

sudo systemctl restart apache2

At this point all is set and you’re ready to obtain your certificate… To do that run the commands below:

sudo certbot certonly --agree-tos --email --webroot -w /var/lib/letsencrypt/ -d -d

Let’s Encrypt should connect validate your domain and server, then install the domain certificate… If everything is successful, you should see a similar message as below:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2019-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

At this point you have a certificate, now go and add it to Apache2 configuration for domain…

First, let’s generate a Diffie–Hellman key exchange (DH) certificate to securely exchange cryptographic keys… To do that, run the commands below to generate a certificate with 2048 bit…

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Next, open your config file and make it so that it looks similar to the one below:

sudo nano /etc/apache2/sites-available/

Configure your file to look similar to the one below

<VirtualHost *:80>

  Redirect permanent /

<VirtualHost *:443>
  DocumentRoot /var/www/html/

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == ''">
    Redirect permanent /
  ErrorLog ${APACHE_LOG_DIR}/
  CustomLog ${APACHE_LOG_DIR}/ combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/
  SSLCertificateKeyFile /etc/letsencrypt/live/
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCompression off
  SSLUseStapling on


Next you will need to configure a server cache for the OCSP status information. The best place for this would be in the Apache SSL configuration file.

sudo nano /etc/apache2/mods-available/ssl.conf

This file contains all the options that Apache uses for SSL. An additional option SSLStaplingCache, needs to be added to this file as below.

# Set the location of the SSL OCSP Stapling Cache
 SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

The SSLStaplingCache directive defines the location for the cache and a size value for the OCSP cache.

Save your changes above and restart Apache2 for the settings above to take effect..

sudo systemctl restart apache2

To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring

To test the renewal process, you can use the certbot –dry-run switch:

sudo certbot renew --dry-run

That’s it! Congratulations! You have successfully configure Apache2 for Let’s Encrypt free SSL/TLS on Ubuntu 16.04 / 18.04

You may also like the post below:

Secure Nginx HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 / 18.04

One Reply to “Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 / 18.04”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.