How to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates

How to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates. This tutorial talks about installation of  lets encrypt SSL certificate for Apache web server on Ubuntu 20.04. Let’s Encrypt is CA that provides free SSL/TLS certificates to all websites on the internet. Let’s Encrypt provides trusted certificate via automated process.

Table of Contents

A few years ago the only way to get a padlock in front of your site’s URL in the address bar was to purchase an expensive SSL certificate. Today things are a little different. You can now install Let’s Encrypt SSL on Ubuntu 20.04 to create certificates for free.

What is an SSL Certificate?

An SSL certificate enables an encrypted connection (HTTPS) between your website and your visitors’ browsers.

SSL is an acronym for Secure Sockets Layer and refers to a now almost obsolete protocol, last updated in 1996 with version 3.0. Its successor, Transport Layer Security is now used to provide authentication, privacy and data integrity between your website and your visitors’ browsers.

You’ll see many hosts and certificate authorities (CA), like Let’s Encrypt, refer to ‘SSL/TLS Certificates’ rather than simply ‘SSL Certificates’. This is partly due to backwards compatibility with SSL and earlier versions of TLS, and also because the term ‘SSL’ has become widely synonymous with security certificates.

As such, this tutorial will cover adding a Let’s Encrypt SSL/TLS certificate.

Let’s Encrypt SSL benefits

Cost  effective — 0 cost. Let’s Encrypt SSL Certificate is free.

Easy — simple and easy to install. No need to create any accounts or email validations.

Safe — as secure as paid certificates due to modern security architecture and techniques.

Automatic — The entire process of generating, installing, and renewing SSL certificates is done automatically.

You can generate multiple free certificates.

Active Directory certificates

Adding a certificate to your AD leads to enabling LDAPS (LDAP over SSL). That helps to stop  showing your clear text credentials for applications that need  BINDs.

LDAPS enabled then the LDAP traffic from domain members and domain controller is safer due to Transport Layer Security (TLS). Let’s Encrypt is a popular certificate authority trusted by in all browsers.

SSL/TLS Validation Levels

Not all SSL/TLS certificates are created equally. All certificates require some form of validation, but some more so than others. It stands to reason that the more rigorous the validation of the organization or entity behind the certificate, the higher the potential trust (and cost, too).

There are three different types of validation available:

Domain Validated (DV) Certificates: In this tutorial, we’ll request a DV certificate. The only validation these certificates require is that you can prove ownership of the domain, which occurs automatically during the certificate request process. DV certificates are issued almost immediately and are best suited to brochure sites and blogs.

Organization Validated (OV) Certificates: Obtaining an OV SSL/TLS certificate is slightly more rigorous and therefore takes more time to be issued. Proof of domain ownership is required, and the entity requesting the certificate will also be vetted. 

These certificates display details about the organization behind the certificate, enhancing trust between you and your site visitors. These certificates are suitable for eCommerce websites, and those that store sensitive user information.

Extended Validation (EV) Certificates: The vetting process for EV certificates is thorough, and may take longer to be issued. These certificates cost a bit more, too. 

The vetting process includes verification of the physical and operational existence of the entity requesting the certificate, identity verification, and domain ownership, among other checks. Newer browsers will activate specific security enhancements when EV certificates are identified.

Install Let’s Encrypt SSL on Ubuntu 20.04

Prerequisites and requirements

Installing Let’s Encrypt SSL on Ubuntu 20.04 is easy and only takes a few minutes. For this tutorial, I fired up a clean Ubuntu 20.04 VPS running Apache.

Create DNS record

Here I also created two DNS records for my test domain isgreen.net:

  • A record for isgreen.net that directs to the server’s IP address.
  • A CNAME record for ‘www’ that directs to the A record above

While the DNS configuration above can vary (e.g. an A record instead of a CNAME for the ‘www’), every domain or subdomain you want to associate with a Let’s Encrypt SSL certificate has a valid DNS record.

Step 1 Configure your firewall

Ubuntu 20.04 comes with ufw installed, which makes it easy to manage the firewall on your Linux machine. Since we’re requesting an SSL/TLS certificate, we need to ensure that Apache can receive requests on port 443, and optionally port 80.

Check firewall status

Check the status of your firewall with the following command:

				
					sudo ufw status
				
			

Output:

				
					
Status: inactive
				
			

Should ufw be disabled, enable it with:

				
					sudo ufw enable
				
			

Output:

				
					Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
				
			

Run the status command again to check that ufw is enabled and protecting your server. 

				
					sudo ufw status
				
			

Output:

				
					Status: active

To            Action   From
--            ------   ----
22/tcp          ALLOW   Anywhere         
22/tcp (v6)     ALLOW   Anywhere (v6)
				
			

(The 22/tcp rule allows SSH connections to the server – not a direct requirement for SSL / TLS, but vital when you’re accessing your server remotely).

Out of the box ufw doesn’t have any rules and won’t allow any connections to our server. As such, we’ll need to tell it which connections to allow – http or https, or both?

Whenever you see a web address that starts with http, chances are that your web browser is connecting to port 80 of the web server. Whenever you see a web address that starts with https, your browser is connecting to port 443 of the web server.

Step 2 Connect Apache web server

This distinction is important when we want to configure our firewall since we can configure ufw in one of three ways to allow connections to our Apache web server:

  • Apache: Only port 80 (unencrypted)
  • Apache Full: Both ports 80 and 443 (unencrypted and encrypted)
  • Apache Secure: Only port 443 (encrypted)

Starting off we’ll configure ufw to allow Apache Full. Should you choose to redirect all http to https traffic when requesting the certificate, you can later replace Apache Full with Apache Secure.

				
					sudo ufw allow 'Apache Full'
				
			

Output:

				
					Rule added
Rule added (v6)
				
			

We can run the ufw status command again to confirm that Apache has been added.

				
					sudo ufw status
				
			

Output:

				
					Status: active

To            Action   From
--            ------   ----
22/tcp          ALLOW   Anywhere         
Apache Full     ALLOW   Anywhere         
22/tcp (v6)     ALLOW   Anywhere (v6)       
Apache Full (v6)    ALLOW   Anywhere (v6)
				
			

Step 3: Install certbot

Step 4 Install python3 certbot apache

				
					sudo apt-get -y install certbot python3-certbot-apache
				
			

Here we’re installing two packages. The certbot package is used to automatically create Let’s Encrypt SSL/TLS certificates. python-certbot-apache is used to integrate certbot with Apache.

The -y option tells the apt package manager to assume “yes” as an answer to all prompts. In this case, the only prompt would’ve been whether the necessary packages should be downloaded and installed.

For this tutorial, it is assumed that you’ve already configured the virtual hosts for every site you want to run on your web server. Looking at the virtual host configuration for isgreen.net, the ServerName and ServerAlias URLs are the addresses for which we’ll request a certificate:

				
					   ServerAdmin webmaster@isgreen.net

   ServerName isgreen.net
   ServerAlias www.isgreen.net

   DocumentRoot /var/www/html
   
       Options Indexes FollowSymLinks MultiViews
       AllowOverride All
       Require all granted
   

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
				
			

Create certificates for your addresses by running the following command:

				
					sudo certbot
				
			

Output:

				
					Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: isgreen.net
2: www.isgreen.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

				
			

The entire output is a bit too long to include here, suffice it to say you’ll be prompted for the following the first time you run certbot:

  • An email address to which renewal and security notices can be sent
  • Whether you agree with the Terms of Service
  • And which names you’d like to activate https for

I’ll leave the input for the last one above blank to activate https for both isgreen.net and www.isgreen.net

You’ll also be asked whether you want to redirect all http traffic to https. Unless you have a very specific reason not to enable redirects to https, choose option ‘2’ and press enter.

Certbot will now complete the certificate request procedure.

Step 5 Test Let's Encrypt SSL/TLS Certificate

With the certificate request process now complete, we can refer to Cerbot’s output to test and get more information about our certificates.

				
					- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://isgreen.net and
https://www.isgreen.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=isgreen.net
https://www.ssllabs.com/ssltest/analyze.html?d=www.isgreen.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

				
			

Once you’ve tested your configuration at ssllabs.com, open up a browser and type in your website address. The padlock should be displayed next to your site’s URL.

That’s great! We have learned how to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates. Let’s conclude.

How to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates Conclusion

An SSL / TLS certificate is an essential part of the trust relationship you have with site victors and is also beneficial for search engine rankings. Follow the steps in this tutorial to secure the connection between any website you own and your visitors’ browsers – as long as you host on Ubuntu 20.04, of course.

Avatar for Leo De Jager
Leo De Jager

I'm a freelance writer in the tech industry. When I'm not writing about hosting-related topics, I spend my time doing calisthenics or in the ocean doing my level best to stand on a surfboard.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x