Table of Contents
– [Installation of Certbot](#installation-of-certbot
– [Installation of Certbot Apache Package](#installation-of-certbot-apache-package
– [Updating the Firewall to Allow HTTPS Traffic](#updating-the-firewall-to-allow-https-traffic
– [Generating SSL Certificate](#generating-ssl-certificate
– [Verifying Certbot Auto-Renewal](#verifying-certbot-auto-renewal
With a growing trend in data breaches and intrusions, securing your website with encryption should be a top priority for any website owner or organization. [Let’s Encrypt](https://letsencrypt.org/ is a free, open and automated certificate authority that avails free certificates with TLS encryption at no cost. This is mostly beneficial for startups or users who are working on a tight budget.
In this article, we will show you how you can install Let’s encrypt Certificate with Certbot for Apache web server and later, configure the certificate to renew automatically without intervention.
You can decide to use the default Apache configuration or create separate Apache virtual host files.
Before you proceed, kindly ensure that the following prerequisites are met
Ubuntu server 16.04 instance
A regular non-root user with sudo privileges
Apache web server installed
A Fully Qualified Domain Name (FQDN with the A record pointing to our server’s public IP address. We are going to use linuxtechwhiz.info bought from Godaddy.com The A record of the domain name points to 184.108.40.206.
You can buy a domain or use a domain registrar of your choice.
Installation of Certbot
Firstly, we need to install certbot to enable users to obtain the SSL certificate from Let’s Encrypt. We are going to use Ubuntu repositories because they contain up-to-date versions of software packages.
Begin by adding certbot repository
$ sudo add-apt-repository ppa:certbot/certbot “
Press ENTER when prompted to continue adding the repository
Installation of Certbot Apache Package
Next, we will install certbot using apt package manager as shown
$ sudo apt install python-certbot-apache “
Updating the Firewall to Allow HTTPS Traffic
If your installation already has ufw enabled, change the settings to allow HTTPS traffic. Nginx registers new profiles with every ufw firewall installation.
Confirm the status of your ufw
$ sudo ufw status “
If the firewall is inactive, first allow OpenSSH and Apache Full then enable it.
To allow the HTTPS, you need to allow the Apache full profile and delete the redundant Apache HTTP allowed profile.
$ sudo ufw allow ‘Apache Full’ “
$ sudo ufw delete allow ‘Apache’ “
Enable Apache by running
$ ufw enable “
Press Yes to enable and save the configurations. To check the status of the firewall execute
$ ufw status “
Generating SSL Certificate
At this point, you may proceed to obtain Let’s encrypt SSL using the default configurations or set up a virtual host for your domain.
If you are comfortable with your default settings, run the command below
$ sudo certbot –apache -d example.com -d www.example.com “
Where example.com is your domain. In our case, this will be linuxtechwhiz.info
$ sudo certbot –apache -d linuxtechwhiz.info -d linuxtechwhiz.info “
You will be prompted for an email address. Provide a valid email address
Next, agree to the terms of service
You’ll be asked if you would like to share your email with EFF so that you can receive news and updates from Let’s Encrypt Authority. You can either opt in or out.
At this point, certbot will automatically detect if any virtual hosts have been configured and will deploy the SSL to the virtual host associated to our Domain name.
If you chose to proceed without configuring virtual hosts, then Certbot will select the default configurations as shown below
Type 2 – To Redirect HTTP to HTTPS
If virtual hosts were configured, then the SSL certificate will automatically be deployed to the virtual host associated with the domain name.
In this case, the virtual host file was configured at
When prompted to choose whether to redirect HTTP traffic to HTTPS, type 2 to enable the redirection of HTTP to HTTPS
The configuration will thereafter be updated, and Apache web server will reload to pick up the new settings. certbot will conclude with a message informing you that the process was successful and the location of your certificates
If you have reached this point, be sure that your Let’s encrypt certificate has been downloaded, installed and loaded.
Head out to your browser and reload.
Your URL should now change from http://example.com to https://example.com
In this case, http://linuxtechwhiz.info changes to https://linuxtechwhiz.info
To obtain more information about the certificate, click on the small padlock icon at the beginning of the URL bar
The following certificate information will be displayed
As seen above, the certificate is issued by Let’s Encrypt Authority X3 and has been issued to linuxtechwhiz.info and is valid from 28th January 2019 to 28th April 2019.
Similarly, you can test your server at https://www.ssllabs.com/ssltest/ and if all went well, your site should get an ‘A’ grade as shown.
Verifying Certbot Auto-Renewal
The validity of Let’s encrypt certificates is only 90 days. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.
To test the renewal process, conduct a dry run test with certbot
$ sudo certbot renew –dry-run “