Securing your website with SSL (Secure Socket Layer) is an essential step to protect users’ data and build trust. One of the easiest and most cost-effective ways to achieve this is by using Let’s Encrypt SSL, a free, automated, and open certificate authority that provides SSL certificates.
In this guide, you’ll learn how to secure Apache on Ubuntu with Let’s Encrypt SSL and configure Apache for SSL.
Prerequisites
Before you proceed, ensure that the following are in place:
-
A domain name pointing to your Ubuntu server (e.g.,
example.com) - A non-root user with sudo privileges
- Apache web server installed on Ubuntu
- Ports 80 and 443 opened on your firewall
Step 1: Install Apache on Ubuntu
First, you need to install Apache if it's not already installed. Run the following commands to install and enable Apache:
sudo apt update
sudo apt install apache2
sudo systemctl start apache2
sudo systemctl enable apache2
To verify that Apache is installed and running, visit your server’s IP address in a web browser:
http://your-server-ip
If you see the default Apache page, your installation is successful.
Step 2: Install Certbot for Let’s Encrypt
Certbot is a command-line tool that simplifies the process of obtaining SSL certificates from Let’s Encrypt. Certbot automatically configures Apache with the new SSL certificate. Install Certbot by running the following commands:
Install Certbot and Apache plugin
sudo apt update
sudo apt install certbot python3-certbot-apache
This command installs Certbot and the Apache plugin, which automates the SSL configuration process.
Step 3: Obtain Let’s Encrypt SSL Certificate
With Certbot installed, you can now obtain your SSL certificate. Certbot will request certificates, configure your Apache server, and automatically redirect HTTP traffic to HTTPS.
Run the following command to obtain your SSL certificate
sudo certbot --apache -d example.com -d www.example.com
- Replace
example.comwith your actual domain name. - Certbot will prompt you to enter your email for recovery purposes and agree to the terms of service.
Certbot will ask if you want to redirect HTTP to HTTPS. Choose:
Option 2: Redirect - Make all requests redirect to secure HTTPS access.
After this process, Certbot will obtain and install the SSL certificates, and your Apache configuration will be updated automatically.
Sample output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
The certificate will be valid for 90 days, and Certbot will automatically renew it (covered in Step 5).
Step 4: Apache SSL Configuration
Once Let’s Encrypt SSL is installed, it’s important to verify that your Apache SSL configuration is correct. Apache uses the .conf files located in /etc/apache2/sites-available/.
Check Apache Virtual Hosts
You can verify the configuration for your domain by viewing the Apache configuration file:
sudo nano /etc/apache2/sites-available/example.com.conf
Ensure the following SSL-related lines are included in your Virtual Host configuration for port 443:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Enable SSL Module
If not already enabled, enable the SSL module:
sudo a2enmod ssl
After editing the Apache configuration, restart Apache for the changes to take effect:
sudo systemctl restart apache2
Redirect HTTP to HTTPS
Certbot should have automatically set up an HTTP to HTTPS redirect. If not, ensure that your configuration for port 80 includes the following redirect lines:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>
This configuration will ensure all HTTP traffic is automatically redirected to HTTPS.
Step 5: Set Up Automatic SSL Certificate Renewal
Let’s Encrypt SSL certificates are valid for 90 days, but Certbot can automatically renew them for you.
Check the Cron Job
Certbot installs a cron job that automatically renews certificates and reloads Apache. You can verify the cron job by running:
sudo systemctl status certbot.timer
Test Renewal Process
To test the automatic renewal process, use the following command:
sudo certbot renew --dry-run
If the dry-run completes successfully, the automatic renewal process is set up correctly.
Step 6: Testing the SSL Configuration
After the setup, it’s important to test your SSL configuration to ensure everything works as expected.
Verify HTTPS Access
Visit your domain via HTTPS to check that the certificate is correctly installed:
https://example.com
You should see the padlock icon in your browser, indicating that the connection is secure.
Test SSL Configuration
Use SSL Labs to test your server's SSL configuration. Go to SSL Labs Test Page and enter your domain name. This will give you a detailed report on your SSL setup, including security vulnerabilities and performance optimization.
Conclusion
Securing Apache with Let’s Encrypt SSL on Ubuntu is a straightforward process, thanks to Certbot's automation. The steps above guide you through obtaining a free SSL certificate, configuring Apache for SSL, setting up automatic renewals, and testing the configuration. With Let’s Encrypt SSL, your website is more secure, and you’ll instill greater confidence in your visitors by encrypting their data.
Commands Cheat Sheet
| Command | Description |
|---|---|
sudo apt install apache2 |
Installs the Apache web server |
sudo apt install certbot |
Installs Certbot for obtaining SSL certificates |
sudo certbot --apache |
Obtains and installs SSL certificate automatically |
sudo certbot renew --dry-run |
Tests automatic renewal of SSL certificates |
sudo systemctl restart apache2 |
Restarts Apache to apply changes |
By following this comprehensive guide, you can easily implement Let’s Encrypt SSL and manage Apache SSL configuration on Ubuntu. Always ensure that your SSL certificates are up-to-date to maintain security and compliance with modern web standards.
Top comments (0)