How To Secure Apache with Let’s Encrypt on Ubuntu

Let’s Encrypt is a Certificate Authority (CA) that offers a remarkably straightforward method for acquiring and installing free TLS/SSL certificates, thereby enabling encrypted HTTPS communication. This process is significantly simplified by the inclusion of Certbot, a tool designed to automate most, if not all, of the tasks involved. Currently, the entire procedure of certificate acquisition and installation is fully automated on both Apache and Nginx web servers. This article explains How To Secure Apache with Let’s Encrypt on Ubuntu.

This guide details how to utilize Certbot to obtain a free SSL certificate for Apache on Ubuntu/Debian systems and configure the certificate for automatic renewal. Securing your web server is paramount, and this guide simplifies the process of How To Secure Apache with Let’s Encrypt on Ubuntu.

This guide emphasizes the use of a separate virtual host file for Apache, rather than relying on the default configuration file. Creating new Apache virtual host files for each domain is highly recommended. This practice minimizes the risk of widespread errors and preserves the default files as a reliable fallback configuration.

If you prefer a manual certificate installation approach, you can consult Setup Let’s Encrypt SSL on Ubuntu.

Prerequisites

Before diving into the process of How To Secure Apache with Let’s Encrypt on Ubuntu, ensure you have the following prerequisites in place:

• An Ubuntu server (this guide is applicable to Debian as well).
• Apache installed and configured.
• A registered domain name pointing to your server’s public IP address.
• ufw firewall configured.

Step 1 – Installing Certbot With Snap

Snaps provide a convenient packaging system compatible with major Linux distributions, including Ubuntu, Linux Mint, Debian, and Fedora.

Snap is pre-installed on Ubuntu 16 and later versions. To verify that you have the latest version of <kbd>snapd</kbd>, execute the following commands from the command line:

$ sudo snap install core; sudo snap refresh core

To install Certbot, use the following command on the machine’s command line:

$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

This creates a symbolic link, making certbot accessible from the /usr/bin directory.

Step 2 – Set Up the SSL Certificate

Certbot is designed to automatically locate the appropriate virtual host within your Apache configuration to facilitate SSL configuration. This is achieved by identifying a ServerName directive that corresponds to the domain for which you are requesting a certificate.

You should already have a VirtualHost block defined for your domain in /etc/apache2/sites-available/your_domain.conf, with the ServerName directive correctly configured.

To verify this, open your domain’s virtual host file using nano or your preferred text editor:

$ sudo nano /etc/apache2/sites-available/your_domain.conf

Locate the existing ServerName line. It will resemble the following, but with your actual domain name instead of <kbd>your_domain</kbd>:

...
ServerName your_domain;
...

If the ServerName directive is missing or incorrect, update it to reflect your domain name. Save the file and then verify the configuration syntax:

$ sudo apache2ctl configtest

If there are no syntax errors, you should see the following output:

Output:

Syntax OK

If you encounter an error, reopen the virtual host file and carefully check for typos or missing characters. Once the configuration file syntax is correct, reload Apache to apply the new configuration:

$ sudo systemctl restart apache2

Certbot can now accurately identify the correct VirtualHost block and apply the necessary updates.

Step 3 – Allow HTTPS Through the Firewall

If your <kbd>ufw</kbd> firewall is enabled, as recommended in the prerequisites, you need to adjust the settings to allow HTTPS traffic. Fortunately, <kbd>ufw</kbd> includes predefined profiles that simplify the process of modifying firewall rules for HTTP and HTTPS traffic.

To view the current firewall settings, execute the following command:

$ sudo ufw status

The output should resemble the following, indicating that only HTTP traffic is currently allowed to the web server:

Output:

Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
WWW                        ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
WWW (v6)                   ALLOW       Anywhere (v6)

To allow HTTPS traffic, enable the "WWW Full" profile and remove the redundant "WWW" profile allowance:

$ sudo ufw allow 'WWW Full'

$ sudo ufw delete allow 'WWW'

The firewall status should now be similar to the following:

$ sudo ufw status

Output:

Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
WWW Full                   ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
WWW Full (v6)              ALLOW       Anywhere (v6)

Step 4 – Obtain an SSL Certificate in Apache

Certbot offers multiple methods for obtaining SSL certificates through plugins. The Apache plugin automates the process of modifying the Apache configuration and reloading it when necessary. To use this plugin, execute the following command:

$ sudo certbot --apache -d your_domain -d www.your_domain

This command instructs <kbd>certbot</kbd> to run with the <kbd>--apache</kbd> plugin and uses <kbd>-d</kbd> to specify the domain names for which the certificate should be valid.

If you are running certbot for the first time, you will be prompted to enter an email address and agree to the terms of service. You will also be asked whether you want to share your email address with the Electronic Frontier Foundation (EFF). You can choose to enter Y to share your email address or N if you prefer not to.

Once these initial steps are completed, certbot will communicate with the Let’s Encrypt server and perform a test to verify that you control the domain for which you are requesting a certificate.

If the verification is successful, certbot will ask you to choose how you want to configure your HTTPS settings:

Output:

Please choose whether to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select the option that best suits your needs and press ENTER. The configuration will be updated automatically, and Apache will be reloaded to apply the chosen settings.

certbot will conclude with a message confirming the successful completion of the process and indicating where your certificates have been stored:

Output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your_domain/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your_domain/privkey.pem
   Your cert will expire on 2019-10-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates have now been downloaded, installed, and loaded. Access your website using https://, and verify the security indicator in your browser. It should display a green lock icon, indicating that the site is securely protected. If you use the SSL Labs Server Test to evaluate your server, it should receive an "A" grade.

Step 5 – Verify the Auto-Renewal of Certbot

Let’s Encrypt certificates are valid for 90 days only, encouraging users to automate the certificate renewal process. The certbot package, installed earlier, handles this automatically by adding a renewal script to /etc/cron.d. This script runs twice daily and automatically renews any certificate that is within 30 days of expiration.

To test the renewal process, perform a dry run using certbot:

$ sudo certbot renew --dry-run

If you encounter no errors, you are all set. Certbot will ensure that your certificates are renewed and that Apache is reloaded with the updated settings when necessary. If the automated renewal process fails, Let’s Encrypt will send an email notification to warn you that your certificate is about to expire.

Conclusion

In this guide on How To Secure Apache with Let’s Encrypt on Ubuntu, you have installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Apache to use them, and set up automatic certificate renewal. For further information regarding Certbot, consult the official documentation, which provides comprehensive details to get you started.

Get cheap SSL from all known SSL providers.

Alternative Solutions for Securing Apache with SSL

While Certbot offers a convenient and automated approach, alternative methods exist for securing Apache with SSL certificates on Ubuntu. Here are two such alternatives:

1. Manual Certificate Generation and Configuration

Instead of relying on Certbot’s automation, you can manually generate a Certificate Signing Request (CSR), obtain a certificate from a Certificate Authority (CA), and configure Apache to use the certificate. This method provides greater control over the process but requires more technical expertise.

Explanation:

• Generating a CSR: A CSR is a file containing information about your domain and organization, which is required by a CA to issue a certificate. You can generate a CSR using OpenSSL.
• Obtaining a Certificate: Once you have a CSR, you can submit it to a CA (either Let’s Encrypt via their API or a commercial CA) to obtain a signed certificate.
• Configuring Apache: After obtaining the certificate and its associated private key, you need to configure your Apache virtual host to point to these files.

Code Example (Generating a CSR):

openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

This command generates a 2048-bit RSA private key (your_domain.key) and a CSR (your_domain.csr). You’ll be prompted for information such as your country, state, organization name, and common name (your domain name). Keep the your_domain.key file secure.

You would then submit the contents of your_domain.csr to a CA. Once you receive the certificate (e.g., your_domain.crt), you would configure your Apache virtual host file like this:

<VirtualHost *:443>
    ServerName your_domain

    SSLEngine on
    SSLCertificateFile /path/to/your_domain.crt
    SSLCertificateKeyFile /path/to/your_domain.key
    SSLCertificateChainFile /path/to/intermediate.crt # If provided by the CA

    # Other configurations...
</VirtualHost>

Remember to replace /path/to/your_domain.crt, /path/to/your_domain.key, and /path/to/intermediate.crt with the actual paths to your certificate, key, and intermediate certificate (if provided by the CA).

2. Using a Web Hosting Control Panel

Many web hosting control panels (e.g., cPanel, Plesk, DirectAdmin) provide built-in tools for obtaining and installing SSL certificates, often integrating with Let’s Encrypt or offering commercial SSL options.

Explanation:

Control panels simplify the process by providing a graphical interface for managing your web server. They often include features that automate the generation of CSRs, the submission of these CSRs to CAs, and the installation of the resulting certificates.

Example (Conceptual):

While specific steps vary depending on the control panel, the general process involves:

1. Logging into your control panel.
2. Navigating to the SSL/TLS section.
3. Selecting the option to generate a new SSL certificate.
4. Providing the necessary domain information.
5. The control panel automatically generates a CSR and submits it to Let’s Encrypt or a commercial CA.
6. Once the certificate is issued, the control panel automatically installs it on your server.

No specific code example is applicable here, as the interaction is primarily through the control panel’s graphical interface. The panel handles the underlying commands and configuration changes. This is often the easiest solution for those unfamiliar with the command line. How To Secure Apache with Let’s Encrypt on Ubuntu can be achieved with ease through a control panel.

Both alternative methods offer valid solutions for securing Apache with SSL. The choice depends on your technical skills, desired level of control, and available tools. How To Secure Apache with Let’s Encrypt on Ubuntu is a crucial step in web server security, and these alternatives provide flexibility in achieving that goal.