Setup Apache2 HTTP Server with Let’s Encrypt Free SSL Certificates on Ubuntu 16.04 / 18.04 / 18.10

For students and new users who want to setup Apache2 HTTP server with Let’s Encrypt free SSL certificates, the steps below should be a great place to start…

Let’s Encrypt is Certificate Authority (CA) that provides free SSL/TLS certificates to anyone who owns a valid domain or website… This brief tutorial shows students and new users how configure Apache2 VirtualHost file to use the free certificates provided by Let’s Encrypt CA.

Let’s Encrypt also provide a tool that automate this process on Linux systems. With the client, it’s easy to obtain, renew and manage the certificates. This process has gotten to good that the entire process can be automated with Apache2 webserver….

To setup Apache2 websites to use Let’s Encrypt free SSL/TLS certificates, follow the steps below:

Step 1: Prerequisites

Before installing and configuring Let’s Encrypt free SSL certificates, please make sure your DNS settings are good and your domain is reachable to your server via IP and domain name…. You may also want to enter these records in your DNS panel for good measures..

Make sure your domain is pointing to your server IP address in the DNS panel…

example.com  points to  your server IP address   

Create a CAA record which allows Let’s Encrypt to issue certificate for your domain name… to do that, add the records as shown below:

example.com. IN CAA 0 issue "letsencrypt.org"

You can also use iodef to make Let’s Encrypt report malicious certificate issue request to the contact address below….

example.com. IN CAA 0 iodef "mailto:admin@example.com"

Step 2: Setup Apache2 Virtual Host

Now that your domain is setup and ready… go and configure Apache2 HTTP server to allow Let’s Encrypt tool to configure the certificates…

If you haven’t installed Apachew, the commands below can do that for you…

sudo apt update
sudo apt install apache2

After installing Apache2, create a virtual host for your website configurations and make sure it contains the domain names you want to obtain the free SSL/TLS certificates for.

sudo nano /etc/apache2/sites-available/example.com.conf

Then the file should have a highlighted line defining your domain name.

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com

     <Directory /var/www/html/example.com/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Save the file and close out.

Step 3: Install Let’s Encrypt Apache Client

To get Let’s Encrypt free SSL/TLS certificates on your Ubuntu machine, you should first install it’s client. The client helps automate the process for you. To install it, run the commands below.

sudo apt-get install python-certbot-apache

After that run the commands below to obtain your free Let’s Encrypt SSL/TLS certificate for your site.

sudo certbot --apache --agree-tos --email admin@example.com --redirect --hsts -d example.com -d www.example.com

The commands options above are explained below:

  • –apache: Use the Apache2 Let’s Encrypt installer
  • –agree-tos: Agree to Let’s Encrypt terms of service
  • –redirect: Adds 301 redirect.
  • –email: Contact email address.
  • –hsts: Adds the Strict-Transport-Security header to every HTTP response.
  • – d flag is followed by domains you want to secure.

After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS.

Congratulations! You have successfully enabled https://example.com and
https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-02-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The highlighted code block should be added to your website configuration file automatically by Let’s Encrypt certbot…. Your site should be ready to be used over HTTPS.

<VirtualHost *:80>   
  ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com

     <Directory /var/www/html/example.com/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

A new configuration file for the domain should also be created named /etc/apache2/sites-available/example.com-le-ssl.conf. This is Apache2 SSL module configuration file and should contain the certificate definitions defined in it.

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com
     
      <Directory /var/www/html/example.com/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Your setup is done… however, you’ll always have to manually renew the certificates… You’ll get email reminder to reset when the certificates are about to expire. To test the renewal process run the commands below.

sudo certbot renew --dry-run

To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring…

You may also like the post below:

How to Install Gitea Git Server on Ubuntu 16.04 / 18.04 / 18.10 with MariaDB