Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How To Secure Apache with Let’s Encrypt on Ubuntu 16.04

Table Of Contents


    Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Installation of Certbot](#installation-of-certbot
    – [Installation of Certbot Apache Package](#installation-of-certbot-apache-package
    – [Updating the Firewall to Allow HTTPS Traffic](#updating-the-firewall-to-allow-https-traffic
    – [Generating SSL Certificate](#generating-ssl-certificate
    – [Verifying Certbot Auto-Renewal](#verifying-certbot-auto-renewal

    Introduction

    With a growing trend in data breaches and intrusions, securing your website with encryption should be a top priority for any website owner or organization. [Let’s Encrypt](https://letsencrypt.org/ is a free, open and automated certificate authority that avails free certificates with TLS encryption at no cost. This is mostly beneficial for startups or users who are working on a tight budget.

    In this article, we will show you how you can install Let’s encrypt Certificate with Certbot for Apache web server and later, configure the certificate to renew automatically without intervention.

    You can decide to use the default Apache configuration or create separate Apache virtual host files.

    Prerequisites

    Before you proceed, kindly ensure that the following prerequisites are met

    Ubuntu server 16.04 instance

    A regular non-root user with sudo privileges

    Apache web server installed

    A Fully Qualified Domain Name (FQDN with the A record pointing to our server’s public IP address. We are going to use linuxtechwhiz.info bought from Godaddy.com The A record of the domain name points to 38.76.11.174.

    ![apacheletsencryptdnsrecords](https://grid.media/assets/images/apache-lets-encrypt-dns-records-02132019.png

    You can buy a domain or use a domain registrar of your choice.

    Installation of Certbot

    Firstly, we need to install certbot to enable users to obtain the SSL certificate from Let’s Encrypt. We are going to use Ubuntu repositories because they contain up-to-date versions of software packages.

    Begin by adding certbot repository

    $ sudo add-apt-repository ppa:certbot/certbot “

    Press ENTER when prompted to continue adding the repository

    ![apacheletsencryptcertbotinstall](https://grid.media/assets/images/installation-of-certbot-02132019.png

    Installation of Certbot Apache Package

    Next, we will install certbot using apt package manager as shown

    $ sudo apt install python-certbot-apache “

    ![apacheletsencryptcertbotpackage](https://grid.media/assets/images/certbot-apache-package-02132019.png

    Updating the Firewall to Allow HTTPS Traffic

    If your installation already has ufw enabled, change the settings to allow HTTPS traffic. Nginx registers new profiles with every ufw firewall installation.

    Confirm the status of your ufw

    $ sudo ufw status “

    If the firewall is inactive, first allow OpenSSH and Apache Full then enable it.

    To allow the HTTPS, you need to allow the Apache full profile and delete the redundant Apache HTTP allowed profile.

    $ sudo ufw allow ‘Apache Full’ “

    ![apacheletsencryptufw](https://grid.media/assets/images/ufw-apache-full-02132019.png

    $ sudo ufw delete allow ‘Apache’ “

    ![apacheletsencryptdeleteufw](https://grid.media/assets/images/ufw-delete-allow-apache-02132019.png

    Enable Apache by running

    $ ufw enable “

    Press Yes to enable and save the configurations. To check the status of the firewall execute

    $ ufw status “

    ![apacheletsencryptufwstatus](https://grid.media/assets/images/apache-lets-encrypt-ufw-status-02132019.png

    Generating SSL Certificate

    At this point, you may proceed to obtain Let’s encrypt SSL using the default configurations or set up a virtual host for your domain.

    If you are comfortable with your default settings, run the command below

    $ sudo certbot –apache -d example.com -d www.example.com “

    Where example.com is your domain. In our case, this will be linuxtechwhiz.info

    $ sudo certbot –apache -d linuxtechwhiz.info -d linuxtechwhiz.info “

    You will be prompted for an email address. Provide a valid email address

    ![apacheletsencryptemailaddress](https://grid.media/assets/images/apache-lets-encrypt-enter-email-address-02132019.png

    Next, agree to the terms of service

    ![apacheletsencryptterms](https://grid.media/assets/images/apache-lets-encrypt-agree-terms-and-conditions-02132019.png

    You’ll be asked if you would like to share your email with EFF so that you can receive news and updates from Let’s Encrypt Authority. You can either opt in or out.

    ![apacheletsencryptshareemail](https://grid.media/assets/images/apache-lets-encrypt-share-email-address-with-eff-02132019.png

    At this point, certbot will automatically detect if any virtual hosts have been configured and will deploy the SSL to the virtual host associated to our Domain name.

    Note:

    If you chose to proceed without configuring virtual hosts, then Certbot will select the default configurations as shown below

    ![](http://

    Type 2 – To Redirect HTTP to HTTPS

    If virtual hosts were configured, then the SSL certificate will automatically be deployed to the virtual host associated with the domain name.

    In this case, the virtual host file was configured at

    “`

    /etc/apache2/sites-available/linuxtechwhiz.info

    “`

    ![](http://

    When prompted to choose whether to redirect HTTP traffic to HTTPS, type 2 to enable the redirection of HTTP to HTTPS

    ![apacheletsencryptselectredirection](https://grid.media/assets/images/apache-lets-encrypt-select-redirection-http-to-https-02132019.png

    The configuration will thereafter be updated, and Apache web server will reload to pick up the new settings. certbot will conclude with a message informing you that the process was successful and the location of your certificates

    ![apacheletsencryptsslcertificate](https://grid.media/assets/images/apache-lets-encrypt-ssl-certificate-02132019.png

    If you have reached this point, be sure that your Let’s encrypt certificate has been downloaded, installed and loaded.

    Head out to your browser and reload.

    Your URL should now change from http://example.com to https://example.com

    In this case, http://linuxtechwhiz.info changes to https://linuxtechwhiz.info

    ![](http://

    To obtain more information about the certificate, click on the small padlock icon at the beginning of the URL bar

    ![](http://

    The following certificate information will be displayed

    ![apacheletsencryptsslcertificateinfo](https://grid.media/assets/images/ssl-certificate-information-02132019.png

    As seen above, the certificate is issued by Let’s Encrypt Authority X3 and has been issued to linuxtechwhiz.info and is valid from 28th January 2019 to 28th April 2019.

    Similarly, you can test your server at https://www.ssllabs.com/ssltest/ and if all went well, your site should get an ‘A’ grade as shown.

    ![apacheletsencrypttest](https://grid.media/assets/images/ssl-test-qualys-02132019.png

    Verifying Certbot Auto-Renewal

    The validity of Let’s encrypt certificates is only 90 days. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.

    To test the renewal process, conduct a dry run test with certbot

    $ sudo certbot renew –dry-run “

    ![apacheletsencrptautorenewal](https://grid.media/assets/images/apache-lets-encrypt-ssl-certificate-auto-renewal-02132019.png