How to Setup Let’s Encrypt SSL Certificate on Ubuntu Linux with Apache

How to Setup Let’s Encrypt SSL Certificate on Ubuntu Linux with Apache

This brief guide shows how to setup Let’s Encrypt SSL certificate on Ubuntu Linux. If you are a beginner or a new user and want to install and setup Let’s encrypt SSL certificate with Apache in your ubuntu Linux system then this short tutorial is useful and handy for you.

Let’s Encrypt is a certificate authority that provides non-profit and Free SSL/Transport Layer Security encryption(TLS) certificate. This authority run and managed by Internet Security Research Group (ISRG).

The SSL/TLS certificate provided by Let’s Encrypt are valid only for 90 days and you can renew it at any time or create an automated process to automatically renew it.

In this brief tutorial, we are going to secure a website using Let’s Encrypt free SSL certificate with Apache web server.


Setup Let’s Encrypt SSL Certificate on Ubuntu Linux

When you are ready, follow the steps below to install and setup Let’s Encrypt SSL Certificate.

Step 1 : Install Certbot on Ubuntu Linux

For generate a certificate, you need to make sure that Certbot is installed and running in your system. It is automates the tasks of getting and renewing Let’s Encrypt SSL. To install it, run the commands below:

sudo apt update
sudo apt install certbot

Step 2 : Create well-known.conf File

Run the command below to create a config file called well-known.conf in the /etc/apache2/conf-available directory:

sudo nano /etc/apache2/conf-available/well-known.conf

copy the below content and paste into the file:

Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"

<Directory "/var/www/html/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Save your changes and exit.


Step 3 : Generate Dh (Diffie-Hellman) Group Key

To generate Dh (Diffie-Hellman) Group Key in the /etc/ssl/cert directory on Ubuntu, run the commands below:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 4 : Generate Let’s Encrypt certificates on Ubuntu

Before generate certificates, you will need to enable some Apache modules for SSL, Headers and HTTP. To enable these modules, run the command below:

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod http2

After that, enable the well-known.conf configuration files that we created in the above steps:

sudo a2enconf well-known.conf

 Next, run the command below to reload Apache:

sudo systemctl reload apache2

Finally, run the commands below to generate Let’s Encrypt SSL certificate:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/www/html -d example.com -d www.example.com

Replace the example.com with your own domain.

The command above will display a message similar like below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-11-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

At this point, the Let’s Encrypt certificate is generated successfully.

After adding SSL setting in Apache VirtualHost configuration file, it will looks similar like below:

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>
  
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
  
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCompression off
  SSLUseStapling on

  Header always set Strict-Transport-Security "max-age=63072000"

  <Directory /var/www/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>
 
</VirtualHost>

Step 5 : Automatically renew Let’s Encrypt certificates

Let’s Encrypt certificates expire after 90 days. To renew your certificates automatically, you will need to create a cron job to an existing crontab file. To open crontab file, run the command below:

sudo crontab -e

And add the following line in the file:

0 12 * * * /usr/bin/certbot renew --quiet

Save the changes and exit.

After that, restart cron service:

sudo service cron restart

That’s all

If you find any error and issue in above steps , please use comment box below to report.

If our tutorials helped you, please consider buying us a coffee. We appreciate your support!

Thank you for your support.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top