Free Apache Security with Let's Encrypt on Ubuntu
In this article, we will tell you how to set up a TLS/SSL certificate from Let's Encrypt on an Ubuntu 14.04 server with Apache installed as a web server (write in the comments if you need to expand the article with a description of the installation process on nginx). Let's Encrypt certificates are issued for 90 days, so in this article we will touch upon the issue of automating certificate renewal.
SSL certificates are used by web servers to encrypt traffic between server and client, providing additional security for users accessing your sites. Let's Encrypt provides an easy way to get and install trusted certificates for free.
In order to complete all the steps in the guide, you will need:
- VDS with Ubuntu 14.04 with a root user (you get access to it during server initialization) or a user with the ability to use sudo (you can configure it yourself).
- Apache web server installed and properly configured for one or more hostnames.
Step 1 - Installing Dependencies
The first thing we will do is update the package manager cache to have access to the latest software versions:
sudo apt-get update
In order to get the Let's Encrypt software, we need Git (a popular version control system). To install it, run the following command:
sudo apt-get install git
Step 2 - Installing the Let's Encrypt Client
In this step, we will download the Let's Encrypt client from the official project repository and place its files in a special directory on the server. We do this through Git to facilitate upgrades when they become available.
For our purposes, we will create a folder in the /opt directory. This is the standard directory for hosting third-party software:
To create a local copy of the Let's Encrypt client, run:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Step 3 - Installing the SSL Certificate
Getting an Apache SSL certificate using Let's Encrypt is very easy. The client will automatically generate and install a new SSL certificate that is valid for the domains passed as parameters.
Let's go to the letsencrypt directory:
To perform an interactive installation and obtain a certificate that is valid for only one domain, run the letsencrypt-auto command with the following parameters:
./letsencrypt-auto --apache -d example.com
If you want to install a single certificate valid for several domains or subdomains (this may be needed if you have hosted several sites on VDS, while using the same IP address, which you can add; or if your site is available with and without www), you can pass them as additional command parameters. The first domain name transferred will be used by Let's Encrypt as its base, for this reason we recommend that you transfer the top-level domain name first, followed by a list of any additional subdomains or aliases:
./letsencrypt-auto --apache -d example.com -d www.example.com
In this example, the base domain will be example.com.
After all the necessary dependencies are installed, you will be presented with the opportunity to configure the certificate parameters step by step. The first thing that will need to be specified is the email address that will be needed in case of loss of the certificate's secret key, then you will be prompted to choose between enabling both HTTP and HTTPS or redirecting all requests to HTTPS.
When the installation is complete, the new certificate files will be available in the /etc/letsencrypt/live directory. You can check the status of your SSL certificate at the following link (remember to replace example.com with your base domain for the certificate): https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
Now you should have be able to visit your site using HTTPS (https://example.com).
Step 4 - Configuring Auto Renewal
Let's Encrypt certificates are valid for 90 days, but we recommend renewing certificates every 60 days to avoid potential errors.
To automatically update all installed certificates, you must use the command:
To automate the renewal process, we will add a task to the cron. To edit the crontab for the root user, run the following command:
sudo crontab -e
Insert the following line:
30 2 * * 1 /opt/letsencrypt/letsencrypt renew >> /var/log/letsencrypt-renew.log
Save the file and exit the editor.
This will create a new job that will try to renew certificates that have less than 30 days left before expiration every Monday at 2:30 AM. All information generated by the command will be saved in a log file available at /var/log/letsencrypt-renew.log.
Step 5 - Updating the Let's Encrypt Client (Optional)
Whenever new Let's Encrypt updates are available, you can update your local copy by running git pull in the Let's Encrypt directory:
cd /opt/letsencrypt sudo git pull
This will download all the latest client changes to your server.
In this tutorial, we walked through how to install a free Let's Encrypt SSL certificate on a site running an Apache web server. We recommend that you periodically check the Let's Encrypt blog ( https://letsencrypt.org/blog/ ) for important updates.