LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

How To Secure Apache with Let’s Encrypt on Ubuntu 18.04

Tags: , , Date/Time: March 6, 2020 @ 8:30 am, by Jon Biloh

The Apache is a web server developed by Apache Foundation in 1995. Apache is the one of the most widely used and robust web server. Apache web server requires a valid SSL certificate to enable web security between the server and client by encrypting the traffic.

The Let’s Encrypt is a certificate authority that provides free SSL certificate and it works out of the box with all major web browsers. The Certbot is Let’s Encrypt client developed by Electronic Frontier Foundation (EFF). The Let’s Encrypt SSL Certificate will provide better security to Apache and it easy to integrate using Certbot tool. In this tutorial you will secure the Apache web server using free Let’s Encrypt SSL on your Ubuntu 18.04 server.

Pre Requirements

  • It requires a valid domain name for generating the free Let’s Encrypt SSL certificates. You can use paid domain name or else you can use free domain name from various domain registrar.
  • You need to configure your DNS management so that your domain name and sub domain is pointed towards your server IPv4 address.

Step 1: Installing Required Packages

The installation of Apache Web Server and Certbot is very straight forward. The default Ubuntu repository contains all the packages of Apache and Certbot. The Advanced Packaging Tool (APT) is the default package manager for Ubuntu that installs those packages so effectively.

First remove and flush the old apt repository cache.

sudo apt clean all

Then update the repository to load latest packages information.

sudo apt update

You need to perform a full upgrade to for updating the installed packages.

sudo apt dist-upgrade

As soon as update is implemented its time to install the Apache web server and Certbot (Let’s Encrypt client) for Apache using default apt package installers.

sudo apt install apache2 python-certbot-apache

After Successful installation of required packages. Lets configure the firewall that is explained in next step.

Step-2: Configure the UFW firewall

The UFW (Unified Firewall) is the default firewall used by the Ubuntu. It is a port based firewall that is easy to configure and manage. The Apache web server requires both HTTP and HTTPS services to allow regular and encrypted traffic.

In order to allow these services you need HTTP(80) and HTTPS(443) ports to be open and it required by Apache web server. So you can allow these ports by implementing port based rules in firewall.

sudo ufw allow http
sudo ufw allow https

The SSH(22) port is an important port for login to server but in terms of security so it better to keep this port with limited permission. This will enable the port based security to secure this port against brute-force attack.

sudo ufw limit ssh

After adding all rules to firewall you need to start the firewall and enable it in boot time to survive the firewall services during boot.

sudo ufw enable

When all completed it’s time to check whether ports are added.

sudo ufw status

If all configured perfectly then it looks like given sample output.

Status: active

To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp LIMIT Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) LIMIT Anywhere (v6)

After completing this step now let’s move to the next step.

Step-3:  Configuring Apache VirtualHost

Apache VirtualHost allow multiple domain name to serve content on single Apache web server. It allows secure mechanism to keep different directory for several domain name. This is the cost effective solution that works out of box with low traffic. This process will keep several website in single machine like a shared environment.

Note: Throughout this tutorial you need to replace example.com with your domain name.

First thing is to add virtual host of your domain name. The given sample Apache VirtualHost configuration file will help you for getting free Let’s encrypt SSL certificate. In Ubuntu the Apache VirtualHost are located at sites-available and sites-enabled directory inside the Apache configuration directory.

sudo nano /etc/apache2/sites-available/example.com.conf

Add the given lines to configuration file and make sure your domain name must be added to ServerName and ServerAlias in order to get Let’s Encrypt SSL certificates.

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/html/
</VirtualHost>

<Directory /var/www/html>
Require all granted
AllowOverride None
</Directory>

When completes hit Ctrl + O to save and Ctrl + X to exit from nano editor.

After adding the Apache VirtualHost configuration files you have to the create the symbolic link between sites-available and sites-enabled directory. This allows you whenever you make changes to VirtualHost configuration file inside sites-available directory and it will automatically replicated to sites-enabled directory by using these soft links.

sudo ln -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/example.com.conf

Check whether the configuration files are correct and this command will also check the syntax of Apache configuration files.

sudo apachectl -t

If all goes correct then it shows Syntax OK as a output. If any thing goes wrong please re-verify the Apache VirtualHost files. After all completed restart the services for making changes in the effect.

sudo systemctl restart apache2

After adding the Apache VirtualHost file it’s time to move forward by generating the free Let’s Encrypt Certificate SSL to secure the Apache web server.

Step-4: Generating the Let’s Encrypt SSL certificate

The Certbot is the Let’s Encrypt Client for automated generation of Let’s Encrypt SSL and integration with the Apache web server. This step will guide you how to make use of Certbot using the sub flag –apache for auto SSL integration with Apache and  flag -d for all your domain name that requires SSL certificate.

sudo certbot --apache -d example.com -d www.example.com

There are several information’s you need to be provide during interactive setup of Lets’s Encrypt script. You will provide your email address to get the email notifications with various information related to your Let’s Encrypt SSL certificate.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@example.com

Accept the terms of services and choose whether your Email address is shared with Electronic Frontier Foundation.

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

When all completed the Let’s Encrypt will perform couple of challenges for getting free Let’s Encrypt SSL certificates. If all things are configured correctly then you will get the Let’s Encrypt SSL certificates after completing all the steps.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

If Certbot won’t find your server virtualhost it will ask you which configuration file you want to add.

We were unable to find a vhost with a ServerName or Address of www.example.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | example.com | HTTPS | Enabled
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

This step is suitable for redirection from insecure HTTP traffic to secure HTTPS traffic.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

When all steps are successfully implemented and finally Let’s Encrypt SSL certificate are generated then it will show given information.

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://example.com and
https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

After successfully generating of Let’s Encrypt Certificate and it is automatically added to secure the Apache. In next step you will setup crontab for automated renewal of Let’s Encrypt SSL certificates.

Step-5: Automatic Renewal of Let’s Encrypt SSL certificates

The Let’s Encrypt SSL certificates are valid for 90 days from the date of issue. So, It is vital to renew the certificate before its expiry date. The crontab allows to auto schedule the renewal task at scheduled time.

To add the entry to crontab you need schedule time and certbot renewal will run periodically during your configured scheduled time.

sudo crontab -e

During first run it asks default editor you have to select the nano as a text editor.

Select an editor. To change later, run 'select-editor'.
1. /bin/nano <---- easiest
2. /usr/bin/vim.basic
3. /usr/bin/vim.tiny
4. /bin/ed

Choose 1-4 [1]: 1

Add the given lines to crontab for enabling automatic Let’s Encrypt SSL renewal at 05:00 AM. This will auto renew SSL certificates before expiry date.

0 5 * * * /usr/bin/certbot renew --post-hook "systemctl restart apache2"

When completes hit Ctrl + O to save and Ctrl + X to exit from nano editor.

Check whether these entries are added to crontab.

sudo crontab -l

This command show output of added cronjobs. Which means you have successfully added the crontab entries for automatic renewal of Let’s Encrypt SSL certificate.

Conclusion

Finally you have secured the Apache using Let’s Encrypt SSL certificate. It will also enable automatic renewal of Let’s Encrypt SSL certificate using crontab. This will secure your web property by implementing Let’s Encrypt SSL certificate. At this time you are ready to use the secure protocol HTTPS for your website.

I'm Jon Biloh and I own LowEndBox and LowEndTalk. I've spent my nearly 20 year career in IT building companies and now I'm excited to focus on building and enhancing the community at LowEndBox and LowEndTalk.

1 Comment

  1. Doing Automatic Renewal increases its usability.

    April 16, 2020 @ 5:21 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *