This page looks best with JavaScript enabled

Setup Let’s Encrypt Free SSL on Apache in 5 Steps

 ·  ☕ 7 min read

Prerequisites

  1. A regular user account that has sudo permissions.
  2. Apache must be installed and running, so it can serve web pages over HTTP. Make sure this is set up before you continue.
  3. A DNS A record that points your domain name to your server’s public IP address. This is necessary because Let’s Encrypt uses this information to confirm that you own the domain for which you want a certificate. For example, if you want a certificate for example.com, the DNS A record for example.com must point to your server’s public IP for the verification to work.

Step 1 : Install the certbot client and the plugin

Certbot is a fully-featured software by Let’s Encrypt that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.

If you are on Ubuntu/Debian:

On Ubuntu servers, the client is available in a PPA maintained by the Certbot team. Now add the universe and certbot repositories. Use the following commands to install the client & the plugin for Apache.

sudo apt update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-apache

If you are on CentOS/RHEL

To add the EPEL repository on CentOS 8 , run the following command:

sudo dnf install epel-release

Now that you have access to the repository, you can install all the required packages:

sudo dnf install certbot python3-certbot-apache mod_ssl

Once installed, use the following command to test if the client is working correctly.

sudo certbot --help

If you see a list of all commands & their description, then you are ready to go.

Step 2 : Obtain SSL certificate

Let’s assume your domain to be example.com . We will use the default Apache plug‑in for certbot, which takes care of obtaining SSL, reconfiguring Apache and reloading its configuration.

To run the plugin, enter

sudo certbot --apache

This should result in a prompt like this:

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

You need not worry about spam etc. since your email will be used to contact you for renewal and security purposes.

Next you should see a prompt like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

You can read their TOS & then press Aand then ENTER to agree to the TOS.
Then you should see a prompt like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Enter Y or N as per you preference & then press ENTER to proceed.
Then you should see a prompt like this:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You can choose any of them by entering 1 or 2 or leave it blank to select all.

Cerbot automatically fetches your domains from Apache example.com.conf file. If you wish to get SSL for any other subdomain/domain you need to ensure that they are present in example.com.conf file before itself.
This is also the reason why you were asked to have Apache installed and running (HTTP) before continuing with this guide.

After this you should see a prompt like this:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/example.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/example.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

For maximum security It’s always recommended to enable HTTP to HTTPS redirect. Thus enter 2 followed by enter to enable this.

Finally you should see:

Redirecting all traffic on port 80 to ssl in /etc/apache2/sites-available/example.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
As the prompt says ‘You have successfully enabled SSL’ 🥳 🎉 .

Step 3: Test SSL

You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.
A successful test should result in a ‘A’ rating.

ssllabs test result

Step 4: Test auto renewal

SSL Certificates issued by Letsencrypt expire after 90 days. Fortunately you need not do anything.
The certbot package we installed takes care of renewals by including a renew script to /etc/cron.d which runs twice a day and automatically renews any certificate that’s within thirty days of expiration.

In order test the working of this renewal process, you can run:

sudo certbot renew --dry-run

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to adopt the changes.

If by any chance the automated renewal process fails, Let’s Encrypt will send a message to the email you specified, warning you abut certificate expiry.

Step 5 (optional): Deny HTTP traffic

After you set up HTTPS, you can optionally deny HTTP traffic (non-secure) on port 80. If you are using UFW (Uncomplicated Firewall) which the default firewall configuration tool for Ubuntu, then use

ufw delete allow 80/tcp

Summary

In this guide, you learnt how to install Let’s Encrypt client certbot, configure it to get an SSL certificate for your domain, and confirmed that Certbot’s automatic renewal service is active.

If you have further questions about using Certbot, you can read their extensive documentation.

References