How to Secure Apache with Let’s Encrypt on Ubuntu 20.04. In this tutorial, we will introduce Let’s Encrypt SSL with its benefits, then move on to the installation phase on Ubuntu 20.04.
When your website is hosted on the production environment. For security reasons, it is essential to install the SSL certificate to secure the data transmissions. Let’s Encrypt is a global CA that allows users to obtain, renew, and manage SSL/TLS certificates for their website.
What Is Let’s Encrypt SSL?
Let’s Encrypt is a free, automated and open certificate authority (CA) developed for providing benefits to the public. It is developed by the Internet Security Research Group (ISRG) with the sole purpose to create a web that is more secure and which respects the privacy of the people.
They gave people certificates required for enabling HTTPS (SSL/TLS) on their website for free. Furthermore, the certificates they provide are of two types, standard single domain SSL and Wildcard SSL. You can issue any of these certificates for a period of 90 days. Also, since they are domain validated, they do not require a dedicated IP.
Therefore, with the help of this platform, you can effortlessly obtain renew, and manage SSL/TLS certificates. When you install Let’s Encrypt correctly, it performs certainly better than nothing.
Let’s Encrypt is an open and automated certificate authority that uses the ACME (Automatic Certificate Management Environment ) protocol to provide free TLS/SSL certificates to any compatible client.
Certificate authorities (CAs) are entities that cryptographically sign TLS/SSL certificates to vouch for their authenticity. Browsers and operating systems have a list of trusted CAs that they use to verify site certificates.
Until recently, most CAs were commercial operations that charged money for their verification and signing services. Let’s Encrypt has made this process free for users by completely automating the procedure, and by relying on sponsorship and donations to fund the necessary infrastructure.
Also Read
Features of Let's Encrypt
- Free – You can use Let’s Encrypt and acquire a trusted certificate completely free.
- Secure – This platform serves in advancing TLS security best practices. They do so both on the CA side and by helping site operators appropriately secure their servers.
- Open – Its automatic issuance and renewal protocol is published as an open standard that can be adopted by anybody.
- Automatic – The software, running on a web server, can interact with Let’s Encrypt and acquire a certificate, securely configure it for use, and automatically take care of the renewal.
- Transparent – Every certificate issued and revoked in this platform is recorded publicly and enables anyone to inspect it.
- Cooperative – Like underlying Internet Protocol, Let’s Encrypt provids benefits to the community beyond the control of any organization.
- Certificate Transparency Log.
- Wildcard Certificates.
Benefits of Let’s Encrypt SSL
The benefits of Let’s Encrypt SSL are as follows:
- One of the considerable benefits of Let’s Encrypt SSL is that it is absolutely free.
- It has a fairly straightforward installation process. It is designed to make HTTPS encryption accessible to any website owner. For Linux web servers, you need to execute only two commands to acquire their certificates.
- It provides built in support for the obtainment and configuration of the free SSL certificate. Other than that, it renews your SSL certificate automatically using a plugin situated in the control panel. Basically, they request a free server on your behalf and then, by default, handle all the maintenance themselves.
- Its certificate provides a secure connection between your site visitors and your site servers.
- They also provide respectable documentation to those in need.
- They have a vast amount of community support that provides more specific information and advice to those in need.
- Since Google Chrome is a Platinum Sponsor of Let’s Encrypt, there is a slight chance of them distrusting the server anytime.
- The Subject Alternative Name Certificate of Let’s Encrypt enables you to protect multiple domain names with a single certificate. It can save a lot of time for organizations having several websites or microsites.
- It does not provide any downtime while issuing the certificate due to the ACME protocol, which performs server validation.
Follow this post to learn how to secure Apache with Let’s Encrypt on Ubuntu 20.04.
Secure Apache with Let's Encrypt on Ubuntu 20.04
Prerequisites
- A valid domain name pointed with your server IP.
- A root user or a user with sudo privileges.
Install Apache Web Server
Before starting, the Apache web server must be installed on your server. If not installed, you can install it by running the following command:
apt install apache2 -y
Once the Apache is installed, start the Apache service and enable it to start after the system reboot:
systemctl start apache2
systemctl enable apache2
Now, open your web browser and verify the Apache test page using the URL http://your-server-ip. You should see the Apache test page in the following screen:
Create and Host a Website with Apache
Before using Let’s Encrypt SSL, we need to create and host a website using the Apache web server. First, create a website directory with the following command:
mkdir /var/www/html/apache.linuxbuz.com
Next, create an index.html page for the website:
nano /var/www/html/apache.linuxbuz.com/index.html
Add the following HTML code:
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<h2>Secure Apache with Let's Encrypt SSL</h2>
</head>
<body>
<h3>Congratulations! your Apache web server is secured with Let's Encrypt SSL</h3>
<script>class RocketElementorAnimation{constructor(){this.deviceMode=document.createElement("span"),this.deviceMode.id="elementor-device-mode-wpr",this.deviceMode.setAttribute("class","elementor-screen-only"),document.body.appendChild(this.deviceMode)}_detectAnimations(){let t=getComputedStyle(this.deviceMode,":after").content.replace(/"/g,"");this.animationSettingKeys=this._listAnimationSettingsKeys(t),document.querySelectorAll(".elementor-invisible[data-settings]").forEach(t=>{const e=t.getBoundingClientRect();if(e.bottom>=0&&e.top<=window.innerHeight)try{this._animateElement(t)}catch(t){}})}_animateElement(t){const e=JSON.parse(t.dataset.settings),i=e._animation_delay||e.animation_delay||0,n=e[this.animationSettingKeys.find(t=>e[t])];if("none"===n)return void t.classList.remove("elementor-invisible");t.classList.remove(n),this.currentAnimation&&t.classList.remove(this.currentAnimation),this.currentAnimation=n;let s=setTimeout(()=>{t.classList.remove("elementor-invisible"),t.classList.add("animated",n),this._removeAnimationSettings(t,e)},i);window.addEventListener("rocket-startLoading",function(){clearTimeout(s)})}_listAnimationSettingsKeys(t="mobile"){const e=[""];switch(t){case"mobile":e.unshift("_mobile");case"tablet":e.unshift("_tablet");case"desktop":e.unshift("_desktop")}const i=[];return["animation","_animation"].forEach(t=>{e.forEach(e=>{i.push(t+e)})}),i}_removeAnimationSettings(t,e){this._listAnimationSettingsKeys().forEach(t=>delete e[t]),t.dataset.settings=JSON.stringify(e)}static run(){const t=new RocketElementorAnimation;requestAnimationFrame(t._detectAnimations.bind(t))}}document.addEventListener("DOMContentLoaded",RocketElementorAnimation.run);</script></body>
</html>
Save and close the file then create an Apache virtual host configuration file to define your website domain and index.html file:
nano /etc/apache2/sites-available/apache.linuxbuz.com.conf
Add the following configuration:
<VirtualHost *:80>
ServerName apache.linuxbuz.com
ServerAdmin webmaster@apache.linuxbuz.com
DocumentRoot /var/www/html/apache.linuxbuz.com
DirectoryIndex index.html
<Directory /var/www/html/apache.linuxbuz.com>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/apache.linuxbuz.com-error.log
CustomLog ${APACHE_LOG_DIR}/apache.linuxbuz.com-access.log combined
</VirtualHost>
Save and close the file then activate the Apache virtual host and restart the Apache service using the following command:
a2ensite apache.linuxbuz.com.conf
systemctl restart apache2
Now, open your web browser and test it using the URL http://apache.linuxbuz.com. You should see your index.html page on the following screen.
Great effort for following this article about how to Secure Apache with Let’s Encrypt on Ubuntu 20.04. Now it is time to install Let’s Encrypt SSL.
Download and Install Let's Encrypt SSL
At this point, your website was created and hosted with an Apache web server. However, it is not secured yet. You will need to install the Certbot package to install and manage the Let’s Encrypt SSL.
Run the following command to install the Certbot package:
apt install certbot python3-certbot-apache -y
Once the Certbot package is installed, run the following command to download and install the Let’s Encrypt SSL on your website:
certbot --apache
You will be asked to provide your valid email address and accept the term of service:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hitjethva@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Select domain of certificate
Next, you will be asked to select the domain on which you want to install the Let’s Encrypt SSL:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: apache.linuxbuz.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Select your domain and press the Enter key. You will be asked to choose whether or not to redirect HTTP traffic to HTTPS:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for apache.linuxbuz.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/apache.linuxbuz.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/apache.linuxbuz.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/apache.linuxbuz.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Choose 2 to enable the redirection and press the Enter key. Once the Let’s Encrypt SSL is installed and configured, you should see the following output:
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/apache.linuxbuz.com.conf to ssl vhost in /etc/apache2/sites-available/apache.linuxbuz.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://apache.linuxbuz.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=apache.linuxbuz.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/apache.linuxbuz.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/apache.linuxbuz.com/privkey.pem
Your cert will expire on 2022-09-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
Verify Let's Encrypt SSL
Your Let’s Encrypt certificate is now installed and loaded into Apache’s configuration. Now, it’s time to test whether the Let’s Encrypt SSL is installed.
You can now test it using the HTTPS protocol https://apache.linuxbuz.com. You should see your website page including a lock icon in the address bar.
You can also use the SSL Labs Server Test to verify your certificate’s grade and obtain detailed information about it.
Thank you for reading how to Secure Apache with Let’s Encrypt on Ubuntu 20.04. not it’s time to summarize.
How to Secure Apache with Let's Encrypt on Ubuntu 20.04 Conclusion
In this post, we give you a brief overview of Let’s Encrypt SSL and how to install it with the Apache web server on Ubuntu 20.04. Let’s Encrypt is a nonprofit organization and its aim is to create a more secure Web by promoting the widespread adoption of HTTPS. Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them on any website which uses a fully qualified domain name.
