Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Secure Apache with Let’s Encrypt on Ubuntu 18.04

Table Of Contents


    ## Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Install Apache](#install-apache
    – [Check your Apache Web Server](#check-your-apache-web-server
    – [Manage your Apache Web Server](#manage-your-apache-web-server
    – [Setup Virtual Hosts](#setup-virtual-hosts
    – [Install Certbot](#install-certbot
    – [Obtain an SSL Certificate](#obtain-an-ssl-certificate
    – [Verify Certbot Auto-Renewal](#verify-certbot-auto-renewal
    – [Conclusion](#conclusion

    ## Introduction

    In this guide, we will explain to you how to obtain SSL certificate using Certbot, how to secure Apache with Let’s Encrypt on Ubuntu 18.04 and how to renewal SSL certificate automatically.

    [Let’s Encrypt](https://letsencrypt.org/ is an automated certificate authority (CA, provided by the Internet Security Research Group (ISRG, that provides an easy way to obtain and install free SSL/TLS certificates. Thus, it provides an easy way to encrypt HTTPS on web servers for free in the most user-friendly way possible. It makes the process easy by providing a client, Certbot, that automates most of the necessary steps. The entire process is fully automated on Nginx web server.

    ## Prerequisites
    An Ubuntu 18.04 server with sudo privileges to a non-root user account.
    Apache must be installed on Ubuntu 18.04.
    You must own or have access The best practice is to run administrative commands as a sudo user instead of Root. to a registered domain that you wish to use SSL/TLS certificate with. In this tutorial, we use systemongrid.ml which we registered for free on freenom.com.
    You must have created a record that points your domain to the public IP address of your server. This is because to make Let’s Encrypt validate that you are the owner of the domain it is issuing an SSL/TLS certificate for.

    ## Install Apache

    Before installing Apache, update the local packages index to reflect the updated upstream changes using the apt package manager.
    “`
    $ sudo apt update
    “`
    Now, install Apache2 package.
    “`
    $ sudo apt install apache2
    “`
    Then, confirm the installation to allow apt to install Apache and all required dependencies.

    ## Check your Apache Web Server

    After installing the Apache, the web server should be up and running automatically. Check it with the below command.
    “`
    $ sudo systemctl status apache2
    “`
    Output:

    ![apachewebserverstatus](https://grid.media/assets/images/apache-webserver-status.png

    Your server has been started and is running successfully. You can also test this by requesting the Apache Ubuntu default page. You can do this by entering your server’s IP address in a web browser’s address bar.

    http://your_server_ip

    Output:

    ![apachedefaultpage](https://grid.media/assets/images/apache2-ubuntu-default-page.png

    ## Manage your Apache Web Server

    You have installed Apache web server and it is running successfully. But, you need to know a few basic commands to manage your server.

    To stop your Apache web server, use the below command.
    “`
    $ sudo systemctl stop apache2
    “`

    To start your Apache web server when it is stopped, use the below command.
    “`
    $ sudo systemctl start apache2
    “`
    To stop and start the service of your Apache web server, use the below command.
    “`
    $ sudo systemctl restart apache2
    “`
    If you are making any configuration changes, Apache will reload without dropping connections. For this, use the below command.
    “`
    $ sudo systemctl reload apache2
    “`
    When server boots, Apache is configured to start automatically. To disable this behavior, use the below command.
    “`
    $ sudo systemctl disable apache2
    “`
    And, you can also enable this by using the below command.
    “`
    $ sudo systemctl enable apache2
    “`
    Now, The Apache web server should start automatically.

    ## Setup Virtual Hosts

    You can use virtual hosts in the Apache web server just like server blocks in Nginx. The virtual hosts are for encapsulating configuration details and hosting more than one domain from a single web server. We are using a sample domain, systemongrid.ml, to explain you the process. Replace the domain with your domain name.

    Now, create a directory structure for your domain, systemongrid.ml, to store the data of your website. To do so, use the below command.
    “`
    $ sudo mkdir -p /var/www/systemongrid.ml/html
    “`
    Then, give ownership permissions of the directory to the $USER environmental variable.
    “`
    $ sudo chown -R $USER:$USER /var/www/systemongrid.ml/html
    “`
    If you haven’t modified your unmask value, the permissions of the web root should be correct. You can verify this by using the following command.
    “`
    $ sudo chmod -R 755 /var/www/systemongrid.ml
    “`
    Now, create a sample index.html page using a text editor.
    “`
    $ vi /var/www/systemongrid.ml/html/index.html
    “`
    Add the following HTML code within the file.
    “`


    Welcome to Systemongrid.ml!

    Success! The systemongrid.ml server block is working!



    “`
    Then, save and close the file.

    To make the Apache web server this content, you need to create a virtual host file with the correct directives. Instead of editing the default configuration file, you can create a new one at /etc/apache2/sites-available/systemongrid.ml.conf using a text editor.
    “`
    $ sudo vi /etc/apache2/sites-available/systemongrid.ml.conf
    “`
    Paste the below configuration block within the file.
    “`
    /etc/apache2/sites-available/systemongrid.ml.conf


    ServerAdmin admin@systemongrid.ml
    ServerName systemongrid.ml
    ServerAlias www.systemongrid.ml
    DocumentRoot /var/www/systemongrid.ml/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    “`
    Then, save and close the file.

    Now, To enable the file with the a2ensite tool, use the below command.
    “`
    $ sudo a2ensite systemongrid.ml.conf
    “`
    To disable the default site defined in 000-default.conf, use the below command.
    “`
    $ sudo a2dissite 000-default.conf
    “`
    Then, to check for configuration errors, use the below command.
    “`
    $ sudo apache2ctl configtest
    “`
    Output:

    ![syntaxok](https://grid.media/assets/images/syntax-ok.png

    Now, restart the Apache web server to implement your changes.
    “`
    $ sudo systemctl restart apache2
    “`
    Now, you have successfully made the Apache web server your domain name. You can test this by navigating to http://systemongrid.ml in a web browser.

    Output:

    ![serverblockisworking](https://grid.media/assets/images/server-block-is-working.png

    ## Install Certbot

    The first step in obtaining an SSL/TLS certificate using Let’s Encrypt is installing Certbot software on your server. Install the updated version of Certbot using Ubuntu software repository that has been developed and maintained by Certbot developers.

    Add the repository using the below command.
    “`
    $ sudo add-apt-repository ppa:certbot/certbot
    “`
    Then, press ENTER to accept.

    Then, install Certbot’s Apache packages using the below command.
    “`
    $ sudo apt install python-certbot-apache
    “`
    Now, the certbot is ready to use.

    ## Obtain an SSL Certificate

    Certbot provides many plugins to obtain SSL certificates. The Nginx plugin takes care of re-configuring Nginx and reloading the config whenever it is necessary.
    “`
    $ sudo certbot –apache -d systemongrid.ml -d www.systemongrid.ml
    “`
    The above command runs the Certbot with the Apache plugin using -d to specify the domain name that you are requesting the certificate for.

    If this is the first that you are running Certbot, you will be asked to enter your email address and agree to the terms and conditions of the service.

    After this, Certbot communicates with the Let’s Encrypt and runs a challenge to verify if you own or have control over the domain that you are requesting an SSL certificate for.

    If this is successful, Certbot will ask you to configure your HTTPS settings.

    ![redirecthttptraffictohttps](https://grid.media/assets/images/redirect-http-traffic-to-https-02132019.png

    Choose one option, then hit ENTER. The configuration will be updated. The Apache will be reloaded and pick the new settings.

    Now, Certbot will show you a message telling you that the process was successful and the path where the certificates are stored.

    ![letsencryptsslcertificate](https://grid.media/assets/images/lets-encrypt-ssl-certificate-02132019.png

    Now, your SSL certificates are downloaded, installed, and configured.

    Load your website using https://systemongrid.ml and check your browser’s security indicator. It must represent with a green lock icon telling that this website is secured correctly.

    ## Verify Certbot Auto-Renewal

    These SSL certificates issued by Let’s Encrypt are valid only for 90 days. The certbot runs certbot renew via a systemd timer twice a day to take care of the auto-renewal process. On non-systemd distributions, the process is provided by a script that is placed in /etc/cron.d. This task renews any certificate that is within 30 days of the expiration date.

    Use the following command to test the renewal process.
    “`
    $ sudo certbot renew –dry-run
    “`
    You are all set if you see no errors.

    If the auto-renewal process fails, Let’s Encrypt will send you the email, you have specified, when your certificate is about to expire.

    ## Conclusion

    You have successfully obtained SSL certificate using Certbot, secured Apache with Let’s Encrypt on Ubuntu 18.04 and renewed SSL certificate automatically.