How to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates. This tutorial talks about installation of lets encrypt SSL certificate for Apache web server on Ubuntu 20.04. Let’s Encrypt is CA that provides free SSL/TLS certificates to all websites on the internet. Let’s Encrypt provides trusted certificate via automated process.
Table of Contents
A few years ago the only way to get a padlock in front of your site’s URL in the address bar was to purchase an expensive SSL certificate. Today things are a little different. You can now install Let’s Encrypt SSL on Ubuntu 20.04 to create certificates for free.
An SSL certificate enables an encrypted connection (HTTPS) between your website and your visitors’ browsers.
SSL is an acronym for Secure Sockets Layer and refers to a now almost obsolete protocol, last updated in 1996 with version 3.0. Its successor, Transport Layer Security is now used to provide authentication, privacy and data integrity between your website and your visitors’ browsers.
You’ll see many hosts and certificate authorities (CA), like Let’s Encrypt, refer to ‘SSL/TLS Certificates’ rather than simply ‘SSL Certificates’. This is partly due to backwards compatibility with SSL and earlier versions of TLS, and also because the term ‘SSL’ has become widely synonymous with security certificates.
As such, this tutorial will cover adding a Let’s Encrypt SSL/TLS certificate.
Adding a certificate to your AD leads to enabling LDAPS (LDAP over SSL). That helps to stop showing your clear text credentials for applications that need BINDs.
Not all SSL/TLS certificates are created equally. All certificates require some form of validation, but some more so than others. It stands to reason that the more rigorous the validation of the organization or entity behind the certificate, the higher the potential trust (and cost, too).
There are three different types of validation available:
Domain Validated (DV) Certificates: In this tutorial, we’ll request a DV certificate. The only validation these certificates require is that you can prove ownership of the domain, which occurs automatically during the certificate request process. DV certificates are issued almost immediately and are best suited to brochure sites and blogs.
Organization Validated (OV) Certificates: Obtaining an OV SSL/TLS certificate is slightly more rigorous and therefore takes more time to be issued. Proof of domain ownership is required, and the entity requesting the certificate will also be vetted.
These certificates display details about the organization behind the certificate, enhancing trust between you and your site visitors. These certificates are suitable for eCommerce websites, and those that store sensitive user information.
Extended Validation (EV) Certificates: The vetting process for EV certificates is thorough, and may take longer to be issued. These certificates cost a bit more, too.
The vetting process includes verification of the physical and operational existence of the entity requesting the certificate, identity verification, and domain ownership, among other checks. Newer browsers will activate specific security enhancements when EV certificates are identified.
Installing Let’s Encrypt SSL on Ubuntu 20.04 is easy and only takes a few minutes. For this tutorial, I fired up a clean Ubuntu 20.04 VPS running Apache.
Here I also created two DNS records for my test domain isgreen.net:
A record for isgreen.net that directs to the server’s IP address.
A CNAME record for ‘www’ that directs to the A record above
While the DNS configuration above can vary (e.g. an A record instead of a CNAME for the ‘www’), every domain or subdomain you want to associate with a Let’s Encrypt SSL certificate has a valid DNS record.
Ubuntu 20.04 comes with ufw installed, which makes it easy to manage the firewall on your Linux machine. Since we’re requesting an SSL/TLS certificate, we need to ensure that Apache can receive requests on port 443, and optionally port 80.
Check firewall status
Check the status of your firewall with the following command:
sudo ufw status
Output:
Status: inactive
Should ufw be disabled, enable it with:
sudo ufw enable
Output:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Run the status command again to check that ufw is enabled and protecting your server.
sudo ufw status
Output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
(The 22/tcp rule allows SSH connections to the server – not a direct requirement for SSL / TLS, but vital when you’re accessing your server remotely).
Out of the box ufw doesn’t have any rules and won’t allow any connections to our server. As such, we’ll need to tell it which connections to allow – http or https, or both?
Whenever you see a web address that starts with http, chances are that your web browser is connecting to port 80 of the web server. Whenever you see a web address that starts with https, your browser is connecting to port 443 of the web server.
This distinction is important when we want to configure our firewall since we can configure ufw in one of three ways to allow connections to our Apache web server:
Apache: Only port 80 (unencrypted)
Apache Full: Both ports 80 and 443 (unencrypted and encrypted)
Apache Secure: Only port 443 (encrypted)
Starting off we’ll configure ufw to allow Apache Full. Should you choose to redirect all http to https traffic when requesting the certificate, you can later replace Apache Full with Apache Secure.
sudo ufw allow 'Apache Full'
Output:
Rule added
Rule added (v6)
We can run the ufw status command again to confirm that Apache has been added.
sudo ufw status
Output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
Apache Full ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Here we’re installing two packages. The certbot package is used to automatically create Let’s Encrypt SSL/TLS certificates. python-certbot-apache is used to integrate certbot with Apache.
The -y option tells the apt package manager to assume “yes” as an answer to all prompts. In this case, the only prompt would’ve been whether the necessary packages should be downloaded and installed.
For this tutorial, it is assumed that you’ve already configured the virtual hosts for every site you want to run on your web server. Looking at the virtual host configuration for isgreen.net, the ServerName and ServerAlias URLs are the addresses for which we’ll request a certificate:
The entire output is a bit too long to include here, suffice it to say you’ll be prompted for the following the first time you run certbot:
An email address to which renewal and security notices can be sent
Whether you agree with the Terms of Service
And which names you’d like to activate https for
I’ll leave the input for the last one above blank to activate https for both isgreen.net and www.isgreen.net.
You’ll also be asked whether you want to redirect all http traffic to https. Unless you have a very specific reason not to enable redirects to https, choose option ‘2’ and press enter.
Certbot will now complete the certificate request procedure.
Once you’ve tested your configuration at ssllabs.com, open up a browser and type in your website address. The padlock should be displayed next to your site’s URL.
That’s great! We have learned how to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates. Let’s conclude.
How to Install Let’s Encrypt SSL on Ubuntu 20.04 To Create Certificates Conclusion
An SSL / TLS certificate is an essential part of the trust relationship you have with site victors and is also beneficial for search engine rankings. Follow the steps in this tutorial to secure the connection between any website you own and your visitors’ browsers – as long as you host on Ubuntu 20.04, of course.
I'm a freelance writer in the tech industry. When I'm not writing about hosting-related topics, I spend my time doing calisthenics or in the ocean doing my level best to stand on a surfboard.
00votes
Article Rating
Subscribe
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.