With Let's Encrypt you can get a free SSL certificate. Let's Encrypt is a Certificate Authority (CA) that provides an simple way to obtain, validate, install and renew free TLS/SSL certificates.
This process is simplified by means of a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Apache queries.
In this context, we shall look into how to obtain and install free SSL certificate and Secure Apache with Let’s Encrypt on Ubuntu 18.04.
Before proceeding with this installation procedure, we need to ensure that the following requirements are met:
1. Install Certbot Client
Certbot client package is easy and useful tool for obtain and renew Let's Encrypt SSL certificates and configure to web servers. The certbot package is available in the default Ubuntu repositories. So first, We will install Certbot client package to Ubuntu server to obtain a Let's Encrypt SSL certificate.
Update the packages list and install the certbot package by following commands:
$ sudo apt update
$ sudo apt install certbot
Once its finished you can confirm your installation by checking certbot version command as below:
$ certbot --version
2. Configure Firewall
If your system have firewall enabled then your firewall should allow HHTPS traffic to configure SSL certificate. So you need to adjust firewall rule to allow HTTPS traffic. By default, with Ubuntu ufw comes with pre-definded packages with a profiles which are simple to change firewall rules.
You can check current ufw rules by typing :
$ sudo ufw status
If you can't see "Apache Full" profile in output then you can allow it by below command :
$ sudo ufw allow 'Apache Full'
$ sudo ufw delete allow 'Apache'
Next, we are going to obtaining an SSL Certificate.
3. Get an SSL Certificate
You can obtain Let's Encrypt SSL certificates by multiple ways using plugins.
Execute the following command to obtain a SSL certificate using certbot client:
$ sudo certbot --apache -d example.com -d www.example.com
In above command, we requested for both example.com and www.example.com domains. If you are first time installing certificate then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.
After doing so, certbot will communicate with the Let's Encrypt server and then it will run a challenge to verify that you are the owner of domain for which you're requesting a certificate.
If validation got passed then it will ask you how you want to configure your HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
You can select as per your choice and go ahead. Your virtual host will be updated based on your selected option and will reload Apache to take new settings effect.
Finally, your domain is secure with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.
4. Auto Renew Let's Encrypt SSL certificate
Let's Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can use certbot auto-renew facility to avoide from SSL expiration. By default, Certbot package creates a cronjob script at /etc/cron.d which runs twice a day and will automatically renew any certificate 30 days before its expiration.
You can check renewal process by type :
$ sudo certbot renew --dry-run
If it will not throw any errors then everything is okay.
Now onwards Certbot will take care of your SSL expiration and renew your certificates and reload Apache to pick up the changes automatically.
This article covers how to install Let’s Encrypt SSL on Ubuntu 18.04 by using Certbot. Enabling an encrypted connection to the web server is fundamental because it allows you to use the secure HTTPS protocol for your website. Let's Encrypt, a Certification Authority issues a free certificate completely in line with the required security standards. Let's Encrypt simplifies the process for installing the security certificate to help even the less experienced user secure a website through the use of the Certbot client.
To Install Certbot client on Ubuntu:
1. First, add the Certbot repository:
$ sudo add-apt-repository ppa:certbot/certbot
You'll need to press ENTER to accept.
2. Install Certbot's Apache package with apt:
$ sudo apt install python-certbot-apache