This brief guide shows how to setup Let’s Encrypt SSL certificate on Ubuntu Linux. If you are a beginner or a new user and want to install and setup Let’s encrypt SSL certificate with Apache in your ubuntu Linux system then this short tutorial is useful and handy for you.
Let’s Encrypt is a certificate authority that provides non-profit and Free SSL/Transport Layer Security encryption(TLS) certificate. This authority run and managed by Internet Security Research Group (ISRG).
The SSL/TLS certificate provided by Let’s Encrypt are valid only for 90 days and you can renew it at any time or create an automated process to automatically renew it.
In this brief tutorial, we are going to secure a website using Let’s Encrypt free SSL certificate with Apache web server.
Setup Let’s Encrypt SSL Certificate on Ubuntu Linux
When you are ready, follow the steps below to install and setup Let’s Encrypt SSL Certificate.
Step 1 : Install Certbot on Ubuntu Linux
For generate a certificate, you need to make sure that Certbot is installed and running in your system. It is automates the tasks of getting and renewing Let’s Encrypt SSL. To install it, run the commands below:
sudo apt update
sudo apt install certbot
Step 2 : Create well-known.conf File
Run the command below to create a config file called well-known.conf in the /etc/apache2/conf-available directory:
sudo nano /etc/apache2/conf-available/well-known.conf
copy the below content and paste into the file:
Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
Save your changes and exit.
Step 3 : Generate Dh (Diffie-Hellman) Group Key
To generate Dh (Diffie-Hellman) Group Key in the /etc/ssl/cert directory on Ubuntu, run the commands below:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Step 4 : Generate Let’s Encrypt certificates on Ubuntu
Before generate certificates, you will need to enable some Apache modules for SSL, Headers and HTTP. To enable these modules, run the command below:
sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod http2
After that, enable the well-known.conf configuration files that we created in the above steps:
sudo a2enconf well-known.conf
Next, run the command below to reload Apache:
sudo systemctl reload apache2
Finally, run the commands below to generate Let’s Encrypt SSL certificate:
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/www/html -d example.com -d www.example.com
Replace the example.com with your own domain.
The command above will display a message similar like below:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2021-11-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
At this point, the Let’s Encrypt certificate is generated successfully.
After adding SSL setting in Apache VirtualHost configuration file, it will looks similar like below:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
Header always set Strict-Transport-Security "max-age=63072000"
<Directory /var/www/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Step 5 : Automatically renew Let’s Encrypt certificates
Let’s Encrypt certificates expire after 90 days. To renew your certificates automatically, you will need to create a cron
job to an existing crontab file. To open crontab file, run the command below:
sudo crontab -e
And add the following line in the file:
0 12 * * * /usr/bin/certbot renew --quiet
Save the changes and exit.
After that, restart cron service:
sudo service cron restart
That’s all
If you find any error and issue in above steps , please use comment box below to report.
If our tutorials helped you, please consider buying us a coffee. We appreciate your support!
Thank you for your support.