We will show you how to setup a TLS/SSL certificate from Let's Encrypt on an Ubuntu server 16.04 running apache.
An SSL Certificate helps encrypt traffic between a web server and a web client. Let's Encrypt provides free trusted SSL certificates.
Ok, let's get down to it.
What we need:
- An up-to-date Ubuntu 16.04 server with a user account with sudo access.
- Apache web server installed and operational with at least one domain name/virtual host.
1- Let's install the Let's Encrypt client
Let's encrypt certificates are pulled by using a client software on your server, the client is called Certbot and their developers maintain their Ubuntu software repository.
Since Certbot's development is active it's best to use their repository to make sure we get the latest version available, so let's add the repository first by running "sudo add-apt-repository ppa:certbot/certbot" and hit ENTER as shown below:
then "sudo apt-get update" to include the new repository's package information, as shown below:
Let's now install Certbot from the new repository by running "sudo apt-get install python-certbot-apache -y" which will result in this:
After this we should have certbot let's encrypt client installed and ready to be used.
Let's now setup the SSL certificate using certbot.
It's a fairly simple process and the client will automaitcally obtain and install a new SSL certificate that is valid for the domains that we specify.
To run the interactive installation and obtain a certificate that covers a single domain let's run the certbot command "sudo certbot --apache -d domain.com", where domain.com is your domain, if the website is accessible and operational it should succeed:
If you want to install a single certificate that can be used for multiple domains or subdomains we can use additional parameters. The first domain name in the list will be the base domain used by Let's Encrypt to issue the certificate, so we recommend that you pass the top-level domain name as first in the list, followed by the reset of the subdomains by running the command:
# sudo certbot --apache -d domain1.com -d www.domain1.com
In this example the base domain is domain1.com. If you have multiple virtual hosts you should run certbot once for for every domain to generate the new certificate for each.
The generated certificate files are located in /etc/letsencrypt/live, you can verify the status of a certificate by going to the following link, make sure to adapt it to your domain name:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com&latest
You should now be able to access your website with via https.
Let's now verify Certbot Auto-Renewal works:
Every Let's Encrypt certificate is valid for only 90 days, however, certbot takes care of renewing them by running "certbot renew" twice a day via systemd. If your linux distro doesn't have systemd this functionally is enabled by a cron script placed in /etc/cron.d.
To test the renewal process you can do a dry run with certbot by running:
#sudo certbot renew --dry-run
If no errors are reported then you're good.
With this guide we learned how to install and configure let's encrypt which enables us to install free SSL certificates to secure our websites running on Apache.