How to Secure Apache with Free Let’s Encrypt SSL Certificate on Ubuntu and Debian

You have a newly registered domain name and your web server operates with a SSL Self-Signed Certificate issued by you which is causing headaches for your clients while they visit the domain due to...

Spread the love

You have a newly registered domain name and your web server operates with a SSL Self-Signed Certificate issued by you which is causing headaches for your clients while they visit the domain due to certificate’s generated errors? You have a limited budget and you can’t afford to buy a certificate issued by a trusted CA? This is when Let’s Encrypt software comes into scene and saves the day.

If you’re looking to install Let’s Encrypt for Apache or Nginx on RHEL, CentOS, Fedora or Ubuntu and Debian, follow these guides below:

Setup Let’s Encrypt to Secure Apache on RHEL and CentOS 7/6

Setup Let’s Encrypt to Secure Nginx on Ubuntu and Debian

Let’s Encrypt is a Certificate Authority (CA) which facilitates you in acquiring free SSL/TLS certificates needed for your server to run securely, making a smooth browsing experience for your users, without any errors.

Testing Sample Environment
Install Let's Encrypt For Apache on Debian and Ubuntu

Secure Apache with Let’s Encrypt SSL Certificate on Debian and Ubuntu

All the steps required to generate a certificate are, mostly, automated for Apache webserver. However, despite your web server software, some steps must be manually done and the certificates must be manually installed, especially in case your website content is served by Nginx daemon.


This tutorial will guide you on how you can install Let’s Encrypt software on Ubuntu 14.04 or Debian 8, generate and obtain a free certificate for your domain and how you can manually install the certificate in Apache and Nginx webservers.

Requirements

  1. A public registered domain name with valid A records to point back to your server external IP Address. In case your server is behind a firewall take the necessary measures to ensure that your server is word-wide accessible from internet by adding port forward rules on the router side.
  2. Apache web server installed with SSL module enabled and virtual hosting enabled, in case you host several domains or subdomains.

Step 1: Install Apache and Enable SSL Module

1. If you don’t have Apache webserver already installed on your machine issue the following command to install apache daemon.

$ sudo apt-get install apache2

2. SSL module activation for Apache webserver on Ubuntu or Debian it’s quite straightforward. Enable SSL module and activate apache default SSL virtual host by issuing the below commands:

$ sudo a2enmod ssl
$ sudo a2ensite default-ssl.conf
$ sudo service apache2 restart
or
$ sudo systemctl restart apache2.service
Enable SSL Module Active Apache

Enable SSL Module Active Apache

Visitors can now access your domain name via HTTPS protocol. However, because your server self-signed certificate is not issued by a trusted certificate authority an error alert would be displayed on their browsers as illustrated on the image below.

https://yourdomain.com
Verify SSL Encryption on Website

Verify SSL Encryption on Website

Step 2: Install Free Let’s Encrypt Client

3. In order to install Let’s Encrypt software on your server you need to have git package installed on your system. Issue the following command to install git software:

$ sudo apt-get -y install git

4. Next, choose a directory from your system hierarchy where you want to clone Let’s Encrypt git repository. In this tutorial we will use /usr/local/ directory as installation path for Let’s Encrypt.

Switch to /usr/local directory and install letsencrypt client by issuing the following commands:

$ cd /usr/local
$ sudo git clone https://github.com/letsencrypt/letsencrypt

Step 4: Generate a SSL Certificate for Apache

5. The process of obtaining a SSL Certificate for Apache is automated thanks to Apache plugin. Generate the certificate by issuing the following command against your domain name. Provide your domain name as a parameter to the -d flag.

$ cd /usr/local/letsencrypt
$ sudo ./letsencrypt-auto --apache -d your_domain.tld

For instance, if you need the certificate to operate on multiple domains or subdomains add them all using the -d flag for each extra valid DNS records after the base domain name.

$ sudo ./letsencrypt-auto --apache -d your_domain.tld -d www. your_domain.tld 

6. Agree the license, enter an email address for recovery and choose whether clients can browse your domain using both HTTP protocols (secure and insecure) or redirect all non-secure requests to HTTPS.

Accept Letsencrypt Agreement

Accept Letsencrypt Agreement

Enter Email Address

Enter Email Address

7. After the installation process finishes successfully a congratulation message is displayed on your console informing you about the expiration date and how you can test the configuration as illustrated on the below screenshots.

Letsencrypt Installation Finishes

Letsencrypt Installation Finishes

Letsencrypt Enabled on Website

Letsencrypt Enabled on Website

Now you should be able to find your certificate files at /etc/letsencrypt/live directory with a simple directory listing.

$ sudo ls /etc/letsencrypt/live
Letsencrypt SSL Certificates

Letsencrypt SSL Certificates

8. Finally, to verify the status of your SSL Certificate visit the following link. Replace the domain name accordingly.

https://www.ssllabs.com/ssltest/analyze.html?d=your_domain.tld&latest
Verify Letsencrypt SSL Certificate on Website

Verify Letsencrypt SSL Certificate on Website

Also, visitors can now access your domain name using HTTPS protocol without any error appearing in their web browsers.

Step 4: Auto Renew Lets Encrypt Certificates

9. By default, certificates issued by Let’s Encrypt authority are valid for 90 days. In order to renew the certificate before the expiration date you must manually run the client again using the exact flags and parameters as earlier.

$ sudo ./letsencrypt-auto --apache -d your_domain.tld

Or in case of multiple subdomains:

$ sudo ./letsencrypt-auto --apache -d your_domain.tld -d www. your_domain.tld

10. The certificate renewal process can be automated to run in less than 30 days before the expiration date by using Linux schedule cron daemon.

$ sudo crontab -e

Add the following command at the end of the crontab file using one line only:

0 1 1 */2 * cd /usr/local/letsencrypt && ./letsencrypt-auto certonly --apache --renew-by-default --apache -d domain.tld >> /var/log/domain.tld-renew.log 2>&1

11. Details about your renewal domain configuration file for Let’s Encrypt software can be found in /etc/letsencrypt/renewal/ directory.

$ cat /etc/letsencrypt/renewal/caeszar.tk.conf
Letsencrypt SSL Domain Renewal Configuration

Letsencrypt SSL Domain Renewal Configuration

You should also check the file /etc/letsencrypt/options-ssl-apache.conf to view the newly SSL configuration file for Apache webserver.

Check Letsencrypt Apache SSL Configuration

Check Letsencrypt Apache SSL Configuration

12. Also, Let’s encrypt apache plugin modifies some files in your webserver configuration. In order to check what files had been modified, list the content of /etc/apache2/sites-enabled directory.

# ls /etc/apache2/sites-enabled/
# sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf
Check Apache Configuration

Check Apache Configuration

That’s all for now! On the next series of tutorials will discuss how you can obtain and install a Let’s Encrypt certificate for Nginx webserver on Ubuntu and Debian and on CentOS as well.

Facebook Comments
Spread the love

Posted by News Monkey