Page 1 of 1

Add Let's Encrypt for websites running on Apache2 in Ubuntu

Posted: Tue Apr 28, 2020 9:34 am
by Vanderburg
This guide is to install Let's Encrypt SSL certificates for websites running under Apache2 on Ubuntu 16.04+

Step 1 - Install LE Client

Let's Encrypt SSL certificates are installed using software called certbot, which is not available in a repo on Ubuntu by default. To make it available, we'll first run

Code: Select all

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install python-certbot-apache
If you see the error "python-certbot-apache has no installation candidate", use "python3-certbot-apache" instead.

Step 2 - Get a Certificate from LE

Let's Encrypt will let you combine certificates for multiple domains/subdomains. For example, if you want to secure domain.com and www.domain.com, run

Code: Select all

sudo certbot --apache -d domain.com -d www.domain.com
You should use the base domain as the first domain argument.

You'll then see the following:

Code: Select all

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
Enter your email address and press Enter.

Code: Select all

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Enter "A" and press Enter to agree to the terms and continue.

Code: Select all

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
You can enter Y or N here, as this is optional. After doing so, press Enter.

After the certificate is installed, it'll set up a .conf file for you in the /etc/apache2/sites-available directory

Code: Select all

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
You can press 2 and then Enter. Future versions will do this automatically. Selecting this option will have Apache automatically redirect you to https:// if http:// is used.

Step 3 - Auto Renew Certificates

Certbot will run twice a day to automatically check for certificate renewal, which will happen every 90 days. To test and make sure this is working properly, run

Code: Select all

sudo certbot renew --dry-run
As long as no errors are seen, you're ready to go and https should now be working, automatically.