Featured image of post How To Secure Apache with Let's Encrypt on Ubuntu

How To Secure Apache with Let's Encrypt on Ubuntu

Learn how to secure your Apache server with Let's Encrypt SSL on Ubuntu. Follow this detailed guide for simple Apache SSL configuration and automatic renewal.

Securing your website with SSL (Secure Socket Layer) is an essential step to protect users’ data and build trust. One of the easiest and most cost-effective ways to achieve this is by using Let’s Encrypt SSL, a free, automated, and open certificate authority that provides SSL certificates.

In this guide, you’ll learn how to secure Apache on Ubuntu with Let’s Encrypt SSL and configure Apache for SSL.

Prerequisites

Before you proceed, ensure that the following are in place:

  • A domain name pointing to your Ubuntu server (e.g., example.com)
  • A non-root user with sudo privileges
  • Apache web server installed on Ubuntu
  • Ports 80 and 443 opened on your firewall

Step 1: Install Apache on Ubuntu

First, you need to install Apache if it’s not already installed. Run the following commands to install and enable Apache:

1
2
3
4
sudo apt update
sudo apt install apache2
sudo systemctl start apache2
sudo systemctl enable apache2

To verify that Apache is installed and running, visit your server’s IP address in a web browser:

1
http://your-server-ip

If you see the default Apache page, your installation is successful.

Step 2: Install Certbot for Let’s Encrypt

Certbot is a command-line tool that simplifies the process of obtaining SSL certificates from Let’s Encrypt. Certbot automatically configures Apache with the new SSL certificate. Install Certbot by running the following commands:

Install Certbot and Apache plugin

1
2
sudo apt update
sudo apt install certbot python3-certbot-apache

This command installs Certbot and the Apache plugin, which automates the SSL configuration process.

Step 3: Obtain Let’s Encrypt SSL Certificate

With Certbot installed, you can now obtain your SSL certificate. Certbot will request certificates, configure your Apache server, and automatically redirect HTTP traffic to HTTPS.

Run the following command to obtain your SSL certificate

1
sudo certbot --apache -d example.com -d www.example.com
  • Replace example.com with your actual domain name.
  • Certbot will prompt you to enter your email for recovery purposes and agree to the terms of service.

Certbot will ask if you want to redirect HTTP to HTTPS. Choose:

1
Option 2: Redirect - Make all requests redirect to secure HTTPS access.

After this process, Certbot will obtain and install the SSL certificates, and your Apache configuration will be updated automatically.

Sample output:

1
2
3
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem

The certificate will be valid for 90 days, and Certbot will automatically renew it (covered in Step 5).

Step 4: Apache SSL Configuration

Once Let’s Encrypt SSL is installed, it’s important to verify that your Apache SSL configuration is correct. Apache uses the .conf files located in /etc/apache2/sites-available/.

Check Apache Virtual Hosts

You can verify the configuration for your domain by viewing the Apache configuration file:

1
sudo nano /etc/apache2/sites-available/example.com.conf

Ensure the following SSL-related lines are included in your Virtual Host configuration for port 443:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Enable SSL Module

If not already enabled, enable the SSL module:

1
sudo a2enmod ssl

After editing the Apache configuration, restart Apache for the changes to take effect:

1
sudo systemctl restart apache2

Redirect HTTP to HTTPS

Certbot should have automatically set up an HTTP to HTTPS redirect. If not, ensure that your configuration for port 80 includes the following redirect lines:

1
2
3
4
5
6
7
8
<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>

This configuration will ensure all HTTP traffic is automatically redirected to HTTPS.

Step 5: Set Up Automatic SSL Certificate Renewal

Let’s Encrypt SSL certificates are valid for 90 days, but Certbot can automatically renew them for you.

Check the Cron Job

Certbot installs a cron job that automatically renews certificates and reloads Apache. You can verify the cron job by running:

1
sudo systemctl status certbot.timer

Test Renewal Process

To test the automatic renewal process, use the following command:

1
sudo certbot renew --dry-run

If the dry-run completes successfully, the automatic renewal process is set up correctly.

Step 6: Testing the SSL Configuration

After the setup, it’s important to test your SSL configuration to ensure everything works as expected.

Verify HTTPS Access

Visit your domain via HTTPS to check that the certificate is correctly installed:

1
https://example.com

You should see the padlock icon in your browser, indicating that the connection is secure.

Test SSL Configuration

Use SSL Labs to test your server’s SSL configuration. Go to SSL Labs Test Page and enter your domain name. This will give you a detailed report on your SSL setup, including security vulnerabilities and performance optimization.

Conclusion

Securing Apache with Let’s Encrypt SSL on Ubuntu is a straightforward process, thanks to Certbot’s automation. The steps above guide you through obtaining a free SSL certificate, configuring Apache for SSL, setting up automatic renewals, and testing the configuration. With Let’s Encrypt SSL, your website is more secure, and you’ll instill greater confidence in your visitors by encrypting their data.

Commands Cheat Sheet

Command Description
sudo apt install apache2 Installs the Apache web server
sudo apt install certbot Installs Certbot for obtaining SSL certificates
sudo certbot --apache Obtains and installs SSL certificate automatically
sudo certbot renew --dry-run Tests automatic renewal of SSL certificates
sudo systemctl restart apache2 Restarts Apache to apply changes

By following this comprehensive guide, you can easily implement Let’s Encrypt SSL and manage Apache SSL configuration on Ubuntu. Always ensure that your SSL certificates are up-to-date to maintain security and compliance with modern web standards.

Related Article