Using certificates from Let's Encrypt, you will be able to protect Apache2 web server with trusted SSL certificates for free.
Basically, Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.
It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.
Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Let's Encrypt queries.
In this context, we shall look into how to install Apache HTTP server and use Let’s Encrypt to secure it
To install Apache2 and secure it with Let's free SSL Certificates, follow the steps below.
1. Get your Domain Name Ready
Let's Encrypt works with valid domain and a working server that the domain is pointing to.
This setup assumes that your domain name is called example.com and is pointing to your server with IP address, let's say '192.100.1.0'.
Don't forget to also make sure www CNAME is pointing to the domain name…. Should look like something below:
example.com A ==========> 192.100.1.0
www CNAME ==========> example.com
2. Install Apache2 HTTP Server
Now that you have a valid domain and pointing to the correct server IP address continue below to setting up Let's Encrypt.
i. First install Apache2 server.
To do that, run the commands below:
$ sudo apt update
$ sudo apt install apache2
ii. After installing Apache2, the commands below can be used to stop, start and enable Apache2 service to always start up with the server boots:
$ sudo systemctl stop apache2.service
$ sudo systemctl start apache2.service
$ sudo systemctl enable apache2.service
iii. To test Apache2 setup, open your browser and browse to the server hostname or IP address and you should see Apache2 default test page.
When you see that, then Apache2 is working as expected:
http://localhost
3. Configure Apache2 with Your Domain
Now that Apache2 is installed, go and configure it with your domain so that when users type your domain name, Apache2 server should respond.
i. To do that, create a basic HTML file in Apache2 root directory with a sample content below:
$ sudo mkdir /var/www/html/example.com
ii. Then inside the example.com folder, create a file called index.html with the content below:
$ sudo nano /var/www/html/example.com/index.html
Copy the content below into the file and save:
<!DOCTYPE html>
<html>
<head>
<title>Example.com Test Page</title>
</head>
<body>
<p>Success! Example.com is working</p>
</body>
</html>
iii. Save the file and exit.
iv. Next, run the commands below to give Apache2 user access to the directory:
$ sudo chown -R www-data: /var/www/html/example.com
v. When you're done, create Apache2 server block for the example.com domain.
To do that, run the commands below to create a new configuration file for example.com domain.
The file will be called example.com.conf:
$ sudo nano /etc/apache2/sites-available/example.com.conf
vi. Then copy and save the content below into the file and save:
<VirtualHost *:80>
ServerAdmin admin@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
</VirtualHost>
vii. Save the file and exit
viii. Now the the example.com configuration file is created, run the commands below to enable it:
$ sudo a2ensite example.com.conf
The site should now be enabled and ready to use.
4. Install and Configure Let's Encrypt
Now that our Apache2 site is enabled and ready to use, run the commands below to install and configure Let's Encrypt to secure the Apache2 website.
i. First install Certbot.
Certbot is a fully featured and easy to use tool that can automate the tasks for obtaining and renewing Let's Encrypt SSL certificates.
To install it, run the commands below:
$ sudo apt install certbot
ii. After installing Certbot, create a file to for Let's Encrypt to the Webroot plugin to validate our domain in the ${webroot-path}/.well-known/acme-challenge directory.
To do that, create the directory and give Apache2 access to it:
$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt
iii. Next, create a well-known challenge file with the configurations below:
$ sudo nano /etc/apache2/conf-available/well-known.conf
iv. Then copy and paste the content below into the file and save:
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
v. Save the file and exit.
5. Obtain Your Free Certificate
At this point, your domain should be pointing to your server IP.
Apache2 HTTP server installed and configured and Certbot installed ready to obtain your certificate.
i. Before requesting your free certificate, open your example.com enable Apache2 configurations and modules by running the commands below.
The commands below enable Apache2 SSL, Headers, HTTPS/2 and the well-known configuration file we created above:
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo a2enmod http2
$ sudo a2enconf well-known
ii. After enabling the modules and config file above, restart Apache2 server.
To do that, run the commands below:
$ sudo systemctl restart apache2
iii. At this point all is set and you're ready to obtain your certificate.
To do that run the commands below:
$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
Let's Encrypt should connect validate your domain and server, then install the domain certificate.
If everything is successful, you should see a similar message as below:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
At this point you have a certificate, now go and add it to Apache2 configuration for example.com domain.
iv. First, let's generate a Diffie–Hellman key exchange (DH) certificate to securely exchange cryptographic keys.
To do that, run the commands below to generate a certificate with 2048 bit:
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
v. Next, open your example.com.conf config file and make it so that it looks similar to the one below:
$ sudo nano /etc/apache2/sites-available/example.com.conf
vi. Configure your file to look similar to the one below:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
</VirtualHost>
vii. Next you will need to configure a server cache for the OCSP status information.
The best place for this would be in the Apache SSL configuration file:
$ sudo nano /etc/apache2/mods-available/ssl.conf
This file contains all the options that Apache uses for SSL.
viii. An additional option SSLStaplingCache, needs to be added to this file as below:
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
The SSLStaplingCache directive defines the location for the cache and a size value for the OCSP cache.
ix. Save your changes above and restart Apache2 for the settings above to take effect:
$ sudo systemctl restart apache2
x. To setup a process to automatically renew the certificates, add a cron job to execute the renewal process:
$ sudo crontab -e
xi. Then add the line below and save:
0 1 * * * /usr/bin/certbot renew & > /dev/null
The cron job will attempt to renew 30 days before expiring.
xii. To test the renewal process, you can use the certbot –dry-run switch:
$ sudo certbot renew --dry-run
This article covers method to Secure Apache with Let's Encrypt on Ubuntu 20.04. Let's Encrypt is a certificate authority created by the Internet Security Research Group (ISRG).
It provides free SSL certificates via a fully automated process designed to eliminate manual certificate creation, validation, installation, and renewal.
Certificates issued by Let's Encrypt are valid for 90 days from the issue date and trusted by all major browsers today.
To install Certbot on Ubuntu:
Certbot is a command-line tool that automates the tasks for obtaining and renewing Let’s Encrypt SSL certificates.
The certbot package is included in the default Ubuntu repositories.
Update the packages list and install certbot using the following commands:
$ sudo apt update
$ sudo apt install certbot
Before enabling the configuration files, make sure both mod_ssl and mod_headers are enabled by issuing:
$ sudo a2enmod ssl
$ sudo a2enmod headers
Next, enable the SSL configuration files by running the following commands:
$ sudo a2enconf letsencrypt
$ sudo a2enconf ssl-params
Enable the HTTP/2 module, which will make your sites faster and more robust:
$ sudo a2enmod http2
Reload the Apache configuration for changes to take effect:
$ sudo systemctl reload apache2