Configure Let's Encrypt SSL for Apache on Ubuntu 19.10
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit.
This guide will go through the steps needed to configure an SSL Certificate for Apache on Ubuntu 19.10 and renew the certificate automatically.
- Latest version of Apache installed and running on the system.
- Doamin name with A record pointing to your server's IP address.
- Virtual host for your domain. Learn how to configure virtual host here.
Add the Repository
SSH into the server running your HTTP website with root or sudo privileges.
Run the following command to add the required repository
Run the command to install certbot specific to apache
apt-get install certbot python-certbot-apache
Certbot is now installed and ready to use after configuring SSL for Apache
Set up SSL Certificate
Confirm that the Virtual host for your domain is set up and working.
Open the virtual file:
Find the ServerName:
# other items omitted ServerName example.com ServerAlias www.example.com # other items omitted
Verify that the config file's syntax is correct:
If an error occurs, check for any typos or missing characters and once the syntax is correct, reload the apache to load new configuration.
systemctl reload apache2
Set up Firewall rules to allow HTTPS
To view current settings,
root@my:~# ufw status Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache (v6) ALLOW Anywhere (v6)
Allowing HTTPS traffic,
ufw allow 'Apache Full'
Status should now look like:
root@my:~# ufw status Status: active To Action From -- ------ ---- Apache ALLOW Anywhere Apache Full ALLOW Anywhere 22/tcp ALLOW Anywhere 22 ALLOW Anywhere Apache (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 22 (v6) ALLOW Anywhere (v6)
Set up SSL Certificate
Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.
certbot --apache -d example.com -d www.example.com
You will have to accept the terms of service.
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-02-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You will receive this acknowledgement that the SSL certificate for
www.example.com are successfull.
You can now verify your website using
https:// that the connection is secure with the lock icon in the usrl bar.
To check that you have top-of-the-line installation, navigate to https://www.ssllabs.com/ssltest/.
Let's Encrypt certificates are valid for 90 days only. This requires you to renew the certificate and can be automated.
certbot package on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire.
You will not need to run Certbot again, unless you change your configuration.
You can test automatic renewal for your certificates by running this command:
certbot renew --dry-run
This concludes setting up and configuring Let's Encrypt for Apache on Ubuntu 19.10.