In this tutorial, we will examine how to secure Apache with Let’s Encrypt for the Ubuntu 16.04 operating system. We will first examine an overview of Let’s Encrypt, certificate authorities, and then dive into a step by step guide to install & configure Let’s Encrypt on your Ubuntu 16.04 VPS servers and the review how to automatically renew SSL certificates.
What is Let’s Encrypt?
Let’s Encrypt is a free, automated, and open Certificate Authority (CA), that provides the ability to secure a website. Let’s Encrypt also provides automation and tools to reduce setup and maintenance challenges needed to secure web servers using HTTPS (SSL/TLS).
Why use Let’s Encrypt as your Certificate Authority?
Let’s Encrypt is free, easy to create, configure, and renew certificates on web servers (like Apache).
Most administrators who host web servers have a goal of attracting new visitors along with retaining end-user attention – as this often translates into profits or a growing website community. People hosting web servers also want to reduce maintenance and cost.
End users, on the other hand, are motivated to visit websites that are safe and do not compromise their security.
To satisfy both administrators and end users, a Certificate Authority is used to validate the authenticity of the web server’s domain name.
Traditional CA (Certificate Authorities) solutions like Verisign required domain owners to pay a fee to use the CA services, this is no longer required when using Let’s Encrypt. The Let’s encrypt service is funded by sponsors and donors.
How Certificate Authority works
- The web server admin creates a private and public key pair. Using the public key the website admin will create a CSR (certificate signing request) and then send the CSR to a Certificate Authority.
- The Certificate Authority signs the CSR and returns a final certificate that the web server admin will install on their web server.
- The final certificate is signed by the Certificate Authorities private key and holds metadata about the admin’s web server.
- When a website visitor goes to the web page, the visitor’s browser will download the final certificate from the web server. The visitor’s browser will contact the Certificate Authority to make sure that the certificate downloaded from the website is valid.
- If the Certificate authority confirms that the certificate is authentic/valid, the website visitor will receive a green padlock in their browser in the URL address box. This will notify the end user that the website is safe to visit.
Prerequisites to installing Let’s Encrypt on Ubuntu
- You must be an administrator of the domain name you want to secure; for this tutorial, we will be using the DNS hostname “LetsEncryptTutorial.ddns.net.
- You need to have your public IP address.
- You must install Apache web server if it’s not already installed.
- Update the Ubuntu apt repository package definitions. Open a command line terminal and type “apt-update” or if you are logged in as a non-root user, type “sudo apt update”.
- To Install Apache: “apt install apache2 -y” or “sudo apt install apache2 -y”
- Change into the directory called /var/www/html and ensure an index.html file exists in the directory.
- Optional but recommended: Edit the default index.html title to be unique (example: Let’s Encrypt tutorial website) by adding “Let’s Encrypt tutorial” to the body. NOTE: This is simply to help you confirm the server is resolving and you are not accessing cached pages.
- If using systemd for startup restart Apache “systemctl restart apache2” or “sudo systemctl restart apache2” if using non-root user. If using init run “service apache2 restart”
- Confirm Apache is running properly on your system. If using systemd use “systemctl status apache2” and if using init use “service apache2 status”
- Confirm that the modified default Apache website is now available via a web browser
First, confirm that port 80 is open and working by going to the following URL,
http://:80 (you should see your edited webpage)
Next, confirm that the web server SSL port 443 is also open and working by going to the following,
NOTE: When the server resolves in a browser using port 443 you will get a “Not Encrypted” or “Not Secure” error in the address bar. That’s ok.
Caution: Do not proceed to the following steps if you are not able to successfully reach your Apache server on both ports 80 and 443. If the server does not resolve to either port contact your network admins to ensure that both ports are configured to allow web traffic.
Once we know Apache is resolving correctly, we can move on to the next section of this tutorial.
How to set up Let’s Encrypt on Apache
- Install common tools “apt-get install software-properties-common -y” if logged in as root user
- Add the apt component for installing new repositories, by running: “add-apt-repository universe”
- Add certbot to the list of apt repositories “add-apt-repository ppa:certbot/certbot”
- Update apt to detect the newly added repositories: “apt update”
- Install certbot to create and renew certificates using let’s encrypt: “apt-get install certbot python-certbot-apache -y”
- Run the certbot command to create SSL for your domain.
- Now visit https:// to verify that your new certificate works properly and your website has a valid certificate. You will notice a green lock icon confirming a secured connection is established with your Apache server. Click the green lock to get details about the SSL certificate.
How to automate the renewal of Let’s Encrypt
It is highly recommended to automate the renewal of your certificate to avoid http traffic interruption due to an expired SSL certificate. For Example; on the Apache server you can create a cron job to renew the certificate every month on the 10th at 6:04 am using cron by typing “sudo crontab -e” and at the bottom add the following line (below) and save/exit.
4 6 10 * * certbot –apache –force-renewal renew –quiet
The post How to Secure Apache with Let’s Encrypt Ubuntu 16.04 appeared first on Low End Box.