For students and new users who want to setup Apache2 HTTP server with Let’s Encrypt free SSL certificates, the steps below should be a great place to start…
Let’s Encrypt is Certificate Authority (CA) that provides free SSL/TLS certificates to anyone who owns a valid domain or website… This brief tutorial shows students and new users how configure Apache2 VirtualHost file to use the free certificates provided by Let’s Encrypt CA.
Let’s Encrypt also provide a tool that automate this process on Linux systems. With the client, it’s easy to obtain, renew and manage the certificates. This process has gotten to good that the entire process can be automated with Apache2 webserver….
To setup Apache2 websites to use Let’s Encrypt free SSL/TLS certificates, follow the steps below:
Step 1: Prerequisites
Before installing and configuring Let’s Encrypt free SSL certificates, please make sure your DNS settings are good and your domain is reachable to your server via IP and domain name…. You may also want to enter these records in your DNS panel for good measures..
Make sure your domain is pointing to your server IP address in the DNS panel…
example.com points to your server IP address
Create a CAA record which allows Let’s Encrypt to issue certificate for your domain name… to do that, add the records as shown below:
example.com. IN CAA 0 issue "letsencrypt.org"
You can also use iodef to make Let’s Encrypt report malicious certificate issue request to the contact address below….
example.com. IN CAA 0 iodef "mailto:admin@example.com"
Step 2: Setup Apache2 Virtual Host
Now that your domain is setup and ready… go and configure Apache2 HTTP server to allow Let’s Encrypt tool to configure the certificates…
If you haven’t installed Apachew, the commands below can do that for you…
sudo apt update sudo apt install apache2
After installing Apache2, create a virtual host for your website configurations and make sure it contains the domain names you want to obtain the free SSL/TLS certificates for.
sudo nano /etc/apache2/sites-available/example.com.conf
Then the file should have a highlighted line defining your domain name.
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/example.com/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/example.com/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Save the file and close out.
Step 3: Install Let’s Encrypt Apache Client
To get Let’s Encrypt free SSL/TLS certificates on your Ubuntu machine, you should first install it’s client. The client helps automate the process for you. To install it, run the commands below.
sudo apt-get install python-certbot-apache
After that run the commands below to obtain your free Let’s Encrypt SSL/TLS certificate for your site.
sudo certbot --apache --agree-tos --email admin@example.com --redirect --hsts -d example.com -d www.example.com
The commands options above are explained below:
- –apache: Use the Apache2 Let’s Encrypt installer
- –agree-tos: Agree to Let’s Encrypt terms of service
- –redirect: Adds 301 redirect.
- –email: Contact email address.
- –hsts: Adds the Strict-Transport-Security header to every HTTP response.
- – d flag is followed by domains you want to secure.
After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS.
Congratulations! You have successfully enabled https://example.com and https://www.example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-02-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The highlighted code block should be added to your website configuration file automatically by Let’s Encrypt certbot…. Your site should be ready to be used over HTTPS.
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/example.com/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/example.com/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
A new configuration file for the domain should also be created named /etc/apache2/sites-available/example.com-le-ssl.conf. This is Apache2 SSL module configuration file and should contain the certificate definitions defined in it.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/example.com/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/example.com/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Your setup is done… however, you’ll always have to manually renew the certificates… You’ll get email reminder to reset when the certificates are about to expire. To test the renewal process run the commands below.
sudo certbot renew --dry-run
To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.
sudo crontab -e
Then add the line below and save.
0 1 * * * /usr/bin/certbot renew & > /dev/null
The cron job will attempt to renew 30 days before expiring…
You may also like the post below: