Setup Apache2 with HTTP/2 and Let’s Encrypt SSL Certificates on Ubuntu 17.04 / 17.10

Major webservers like Apache2, Nginx and others are beginning to include HTTP/2 (HTTP version 2) support into their builds and making the protocol readily available. HTTP/2 is the newer version to HTTP/1 which has been the default protocol since it was standardized way back in the year 1999.

The default Apache2 version in Ubuntu repositories doesn’t come with HTTP/2 support – at least not yet. In order to support HTTP/2 with Apache2 on Ubuntu today, you must upgrade Apache2 to an unsupported (but stable) version on Ubuntu.

This brief tutorial is going to show students and new users how to set up Apache2 with HTTP/2 and Let’s Encrypt SSL certificates.

Some of the key benefits of HTTP/2 are:

  • Single, persistent connection
  • Multiplexing
  • Header compression
  • Resource prioritization
  • Secure transport layer

So, as you can see, there are great benefits for those who upgrade to HTTP/2.

HTTP/2 only works with webserver with SSL/TLS enabled… so to get HTTP/2 working you must first install and enable SSL/TLS certificates. Follow the steps below to install the latest Apache2 version and get Let’s Encrypt installed and configured.

Step 1: Install Apache2 with HTTP/2 Support

Since the supported version of Apache2 that comes with Ubuntu doesn’t support HTTP/2, you  must install Apache2 from a third-party source. To do that, run the commands below to add the third-party repository to Ubuntu.

sudo add-apt-repository ppa:ondrej/apache2

Then update and install Apache2

sudo apt update
sudo apt install apache2

Now that Apache2 latest is installed, run the commands below to enable HTTP/2 support… HTTP/2 support is enabled from Apache2 2.4.24 and up.

sudo a2enmod http2

STEP 2: OBTAIN AND CONFIGURE LET’S ENCRYPT SSL CERTIFICATES

Now that the Apache2 configuration is done, continue below to get Let’s Encrypt installed and configured. Let’s Encrypt now provides a Apache2 module to automate this process. To get the client/module installed on Ubuntu, run the commands below

sudo apt-get install python-certbot-apache

After that run the commands below to obtain your free Let’s Encrypt SSL/TLS certificate for your site.

sudo certbot --apache -m admin@example.com -d example.com -d www.example.com

After running the above commands, you should get prompted to accept the licensing terms. If everything is checked, the client should automatically install the free SSL/TLS certificate and configure the Apache2 site to use the certs.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

Choose Yes ( Y ) to share your email address

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

This is how easy is it to obtain your free SSL/TLS certificate for your Nginx powered website.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Pick option 2 to redirect all traffic over HTTPS. This is important!

After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS.

Congratulations! You have successfully enabled https://example.com and
https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-02-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The highlighted code block should be added to your Apache2 site configuration file automatically by Let’s Encrypt certbot. Your site is ready to be used over HTTPS.

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

A new configuration file for the domain should also be created named /etc/apache2/sites-available/example-le-ssl.conf. This is Apache2 SSL module configuration file and should contain the certificate definitions defined in it.

<IfModule mod_ssl.c>
  <VirtualHost *:443>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Step 3: Enable HTTP/2 on Apache2 Sites

When Let’s Encrypt configured and HTTP/2 enabled, add this like to the Apache2 global configuration file to enable HTTP/2 on all sites.

sudo nano /etc/apache2/apache2.conf

Then add the line below anywhere in the file and save… After that, restart and HTTP/2 will be enabled on all sites.

Protocols h2 http/1.1

If you don’t want to enable it for all sites, add the line above to the site specific SSL config file.

<IfModule mod_ssl.c>
   <VirtualHost *:443>
      ServerAdmin admin@example.com
      DocumentRoot /var/www/html/example.com/
      ServerName example.com
      Protocols h2 http/1.1
      ServerAlias www.example.com
.........
.........

Save and restart Apache2.

sudo systemctl reload apache2.service

Now you should have Apache2 HTTP/2 support.

Congratulation! You’ve successfully setup Apache2 with HTTP/2 and Let’s Encrypt support.

Enjoy!

To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring

You may also like the post below:

Setup Nginx with HTTP/2 and Let’s Encrypt Certificates on Ubuntu 17.04 / 17.10

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.