Configure Let's Encrypt SSL for Apache on Ubuntu 19.10

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit.

This guide will go through the steps needed to configure an SSL Certificate for Apache on Ubuntu 19.10 and renew the certificate automatically.

Prerequisites

  • Latest version of Apache installed and running on the system.
  • Doamin name with A record pointing to your server's IP address.
  • Virtual host for your domain. Learn how to configure virtual host here.

Add the Repository

SSH into the server running your HTTP website with root or sudo privileges.

Run the following command to add the required repository

add-apt-repository ppa:certbot/certbot

Installing Certbot

Run the command to install certbot specific to apache

apt-get install certbot python-certbot-apache

Certbot is now installed and ready to use after configuring SSL for Apache

Set up SSL Certificate

Confirm that the Virtual host for your domain is set up and working.

Open the virtual file:

vi /etc/apache2/sites-available/example.com.conf

Find the ServerName:

# other items omitted
ServerName example.com
ServerAlias www.example.com
# other items omitted

Verify that the config file's syntax is correct:

apache2ctl configtest

If an error occurs, check for any typos or missing characters and once the syntax is correct, reload the apache to load new configuration.

systemctl reload apache2

Set up Firewall rules to allow HTTPS

To view current settings,

ufw status

Output:

root@my:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Apache                     ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Apache (v6)                ALLOW       Anywhere (v6)

Allowing HTTPS traffic,

ufw allow 'Apache Full'

Status should now look like:

ufw status
root@my:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
Apache                     ALLOW       Anywhere
Apache Full                ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
22                         ALLOW       Anywhere
Apache (v6)                ALLOW       Anywhere (v6)
Apache Full (v6)           ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)

Set up SSL Certificate

Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.

certbot --apache -d example.com -d www.example.com

You will have to accept the terms of service.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-02-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You will receive this acknowledgement that the SSL certificate for example.com and www.example.com are successfull.

You can now verify your website using https:// that the connection is secure with the lock icon in the usrl bar.

To check that you have top-of-the-line installation, navigate to https://www.ssllabs.com/ssltest/.

Certbot Auto-Renewal

Let's Encrypt certificates are valid for 90 days only. This requires you to renew the certificate and can be automated.

The certbot package on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration.

You can test automatic renewal for your certificates by running this command:

certbot renew --dry-run

This concludes setting up and configuring Let's Encrypt for Apache on Ubuntu 19.10.