Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How To Secure Apache with Let’s Encrypt on Ubuntu 16.04

Table Of Contents

    Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Installation of Certbot](#installation-of-certbot
    – [Installation of Certbot Apache Package](#installation-of-certbot-apache-package
    – [Updating the Firewall to Allow HTTPS Traffic](#updating-the-firewall-to-allow-https-traffic
    – [Generating SSL Certificate](#generating-ssl-certificate
    – [Verifying Certbot Auto-Renewal](#verifying-certbot-auto-renewal


    With a growing trend in data breaches and intrusions, securing your website with encryption should be a top priority for any website owner or organization. [Let’s Encrypt]( is a free, open and automated certificate authority that avails free certificates with TLS encryption at no cost. This is mostly beneficial for startups or users who are working on a tight budget.

    In this article, we will show you how you can install Let’s encrypt Certificate with Certbot for Apache web server and later, configure the certificate to renew automatically without intervention.

    You can decide to use the default Apache configuration or create separate Apache virtual host files.


    Before you proceed, kindly ensure that the following prerequisites are met

    Ubuntu server 16.04 instance

    A regular non-root user with sudo privileges

    Apache web server installed

    A Fully Qualified Domain Name (FQDN with the A record pointing to our server’s public IP address. We are going to use bought from The A record of the domain name points to


    You can buy a domain or use a domain registrar of your choice.

    Installation of Certbot

    Firstly, we need to install certbot to enable users to obtain the SSL certificate from Let’s Encrypt. We are going to use Ubuntu repositories because they contain up-to-date versions of software packages.

    Begin by adding certbot repository

    $ sudo add-apt-repository ppa:certbot/certbot “

    Press ENTER when prompted to continue adding the repository


    Installation of Certbot Apache Package

    Next, we will install certbot using apt package manager as shown

    $ sudo apt install python-certbot-apache “


    Updating the Firewall to Allow HTTPS Traffic

    If your installation already has ufw enabled, change the settings to allow HTTPS traffic. Nginx registers new profiles with every ufw firewall installation.

    Confirm the status of your ufw

    $ sudo ufw status “

    If the firewall is inactive, first allow OpenSSH and Apache Full then enable it.

    To allow the HTTPS, you need to allow the Apache full profile and delete the redundant Apache HTTP allowed profile.

    $ sudo ufw allow ‘Apache Full’ “


    $ sudo ufw delete allow ‘Apache’ “


    Enable Apache by running

    $ ufw enable “

    Press Yes to enable and save the configurations. To check the status of the firewall execute

    $ ufw status “


    Generating SSL Certificate

    At this point, you may proceed to obtain Let’s encrypt SSL using the default configurations or set up a virtual host for your domain.

    If you are comfortable with your default settings, run the command below

    $ sudo certbot –apache -d -d “

    Where is your domain. In our case, this will be

    $ sudo certbot –apache -d -d “

    You will be prompted for an email address. Provide a valid email address


    Next, agree to the terms of service


    You’ll be asked if you would like to share your email with EFF so that you can receive news and updates from Let’s Encrypt Authority. You can either opt in or out.


    At this point, certbot will automatically detect if any virtual hosts have been configured and will deploy the SSL to the virtual host associated to our Domain name.


    If you chose to proceed without configuring virtual hosts, then Certbot will select the default configurations as shown below


    Type 2 – To Redirect HTTP to HTTPS

    If virtual hosts were configured, then the SSL certificate will automatically be deployed to the virtual host associated with the domain name.

    In this case, the virtual host file was configured at





    When prompted to choose whether to redirect HTTP traffic to HTTPS, type 2 to enable the redirection of HTTP to HTTPS


    The configuration will thereafter be updated, and Apache web server will reload to pick up the new settings. certbot will conclude with a message informing you that the process was successful and the location of your certificates


    If you have reached this point, be sure that your Let’s encrypt certificate has been downloaded, installed and loaded.

    Head out to your browser and reload.

    Your URL should now change from to

    In this case, changes to


    To obtain more information about the certificate, click on the small padlock icon at the beginning of the URL bar


    The following certificate information will be displayed


    As seen above, the certificate is issued by Let’s Encrypt Authority X3 and has been issued to and is valid from 28th January 2019 to 28th April 2019.

    Similarly, you can test your server at and if all went well, your site should get an ‘A’ grade as shown.


    Verifying Certbot Auto-Renewal

    The validity of Let’s encrypt certificates is only 90 days. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.

    To test the renewal process, conduct a dry run test with certbot

    $ sudo certbot renew –dry-run “