The Apache is a web server developed by Apache Foundation in 1995. Apache is the one of the most widely used and robust web server. Apache web server requires a valid SSL certificate to enable web security between the server and client by encrypting the traffic.
The Let’s Encrypt is a certificate authority that provides free SSL certificate and it works out of the box with all major web browsers. The Certbot is Let’s Encrypt client developed by Electronic Frontier Foundation (EFF). The Let’s Encrypt SSL Certificate will provide better security to Apache and it easy to integrate using Certbot tool. In this tutorial you will secure the Apache web server using free Let’s Encrypt SSL on your Ubuntu 18.04 server.
Pre Requirements
- It requires a valid domain name for generating the free Let’s Encrypt SSL certificates. You can use paid domain name or else you can use free domain name from various domain registrar.
- You need to configure your DNS management so that your domain name and sub domain is pointed towards your server IPv4 address.
Step 1: Installing Required Packages
The installation of Apache Web Server and Certbot is very straight forward. The default Ubuntu repository contains all the packages of Apache and Certbot. The Advanced Packaging Tool (APT) is the default package manager for Ubuntu that installs those packages so effectively.
First remove and flush the old apt repository cache.
sudo apt clean all
Then update the repository to load latest packages information.
sudo apt update
You need to perform a full upgrade to for updating the installed packages.
sudo apt dist-upgrade
As soon as update is implemented its time to install the Apache web server and Certbot (Let’s Encrypt client) for Apache using default apt package installers.
sudo apt install apache2 python-certbot-apache
After Successful installation of required packages. Lets configure the firewall that is explained in next step.
Step-2: Configure the UFW firewall
The UFW (Unified Firewall) is the default firewall used by the Ubuntu. It is a port based firewall that is easy to configure and manage. The Apache web server requires both HTTP and HTTPS services to allow regular and encrypted traffic.
In order to allow these services you need HTTP(80) and HTTPS(443) ports to be open and it required by Apache web server. So you can allow these ports by implementing port based rules in firewall.
sudo ufw allow http sudo ufw allow https
The SSH(22) port is an important port for login to server but in terms of security so it better to keep this port with limited permission. This will enable the port based security to secure this port against brute-force attack.
sudo ufw limit ssh
After adding all rules to firewall you need to start the firewall and enable it in boot time to survive the firewall services during boot.
sudo ufw enable
When all completed it’s time to check whether ports are added.
sudo ufw status
If all configured perfectly then it looks like given sample output.
Status: active To Action From -- ------ ---- 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 22/tcp LIMIT Anywhere 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 22/tcp (v6) LIMIT Anywhere (v6)
After completing this step now let’s move to the next step.
Step-3: Configuring Apache VirtualHost
Apache VirtualHost allow multiple domain name to serve content on single Apache web server. It allows secure mechanism to keep different directory for several domain name. This is the cost effective solution that works out of box with low traffic. This process will keep several website in single machine like a shared environment.
Note: Throughout this tutorial you need to replace example.com with your domain name.
First thing is to add virtual host of your domain name. The given sample Apache VirtualHost configuration file will help you for getting free Let’s encrypt SSL certificate. In Ubuntu the Apache VirtualHost are located at sites-available and sites-enabled directory inside the Apache configuration directory.
sudo nano /etc/apache2/sites-available/example.com.conf
Add the given lines to configuration file and make sure your domain name must be added to ServerName and ServerAlias in order to get Let’s Encrypt SSL certificates.
<VirtualHost *:80> ServerName example.com ServerAlias www.example.com ServerAdmin admin@example.com DocumentRoot /var/www/html/ </VirtualHost> <Directory /var/www/html> Require all granted AllowOverride None </Directory>
When completes hit Ctrl + O to save and Ctrl + X to exit from nano editor.
After adding the Apache VirtualHost configuration files you have to the create the symbolic link between sites-available and sites-enabled directory. This allows you whenever you make changes to VirtualHost configuration file inside sites-available directory and it will automatically replicated to sites-enabled directory by using these soft links.
sudo ln -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/example.com.conf
Check whether the configuration files are correct and this command will also check the syntax of Apache configuration files.
sudo apachectl -t
If all goes correct then it shows Syntax OK as a output. If any thing goes wrong please re-verify the Apache VirtualHost files. After all completed restart the services for making changes in the effect.
sudo systemctl restart apache2
After adding the Apache VirtualHost file it’s time to move forward by generating the free Let’s Encrypt Certificate SSL to secure the Apache web server.
Step-4: Generating the Let’s Encrypt SSL certificate
The Certbot is the Let’s Encrypt Client for automated generation of Let’s Encrypt SSL and integration with the Apache web server. This step will guide you how to make use of Certbot using the sub flag –apache for auto SSL integration with Apache and flag -d for all your domain name that requires SSL certificate.
sudo certbot --apache -d example.com -d www.example.com
There are several information’s you need to be provide during interactive setup of Lets’s Encrypt script. You will provide your email address to get the email notifications with various information related to your Let’s Encrypt SSL certificate.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@example.com
Accept the terms of services and choose whether your Email address is shared with Electronic Frontier Foundation.
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: N
When all completed the Let’s Encrypt will perform couple of challenges for getting free Let’s Encrypt SSL certificates. If all things are configured correctly then you will get the Let’s Encrypt SSL certificates after completing all the steps.
Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com http-01 challenge for www.example.com Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
If Certbot won’t find your server virtualhost it will ask you which configuration file you want to add.
We were unable to find a vhost with a ServerName or Address of www.example.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------------- 1: 000-default.conf | | | Enabled 2: 000-default-le-ssl.conf | example.com | HTTPS | Enabled ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
This step is suitable for redirection from insecure HTTP traffic to secure HTTPS traffic.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
When all steps are successfully implemented and finally Let’s Encrypt SSL certificate are generated then it will show given information.
------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://example.com and https://www.example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-08-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
After successfully generating of Let’s Encrypt Certificate and it is automatically added to secure the Apache. In next step you will setup crontab for automated renewal of Let’s Encrypt SSL certificates.
Step-5: Automatic Renewal of Let’s Encrypt SSL certificates
The Let’s Encrypt SSL certificates are valid for 90 days from the date of issue. So, It is vital to renew the certificate before its expiry date. The crontab allows to auto schedule the renewal task at scheduled time.
To add the entry to crontab you need schedule time and certbot renewal will run periodically during your configured scheduled time.
sudo crontab -e
During first run it asks default editor you have to select the nano as a text editor.
Select an editor. To change later, run 'select-editor'. 1. /bin/nano <---- easiest 2. /usr/bin/vim.basic 3. /usr/bin/vim.tiny 4. /bin/ed Choose 1-4 [1]: 1
Add the given lines to crontab for enabling automatic Let’s Encrypt SSL renewal at 05:00 AM. This will auto renew SSL certificates before expiry date.
0 5 * * * /usr/bin/certbot renew --post-hook "systemctl restart apache2"
When completes hit Ctrl + O to save and Ctrl + X to exit from nano editor.
Check whether these entries are added to crontab.
sudo crontab -l
This command show output of added cronjobs. Which means you have successfully added the crontab entries for automatic renewal of Let’s Encrypt SSL certificate.
Conclusion
Finally you have secured the Apache using Let’s Encrypt SSL certificate. It will also enable automatic renewal of Let’s Encrypt SSL certificate using crontab. This will secure your web property by implementing Let’s Encrypt SSL certificate. At this time you are ready to use the secure protocol HTTPS for your website.
Related Posts:
- Have you ever visited the web’s busiest hosting forum? LowEndTalk awaits. - September 27, 2022
- Grab the deals first by subscribing to our new deal alerts - September 16, 2022
- LowEndBox is on Instagram and TikTok! - August 5, 2022
Doing Automatic Renewal increases its usability.