SSL certificates encrypt all the data transferred between your web server and users’ browsers. This not only makes your website more secure but also improves its credibility. Let’s Encrypt allows you to add trusted SSL certificates for free, to your website. Let us look at how to install Let’s Encrypt on Apache on Ubuntu 16.04.
How to Install Let’s Encrypt on Apache on Ubuntu 16.04
Before we proceed, make sure you have
- Installed Apache web server on Ubuntu
- Setup Virtual Hosts for your domain name, and specified ServerName directive. Here’s how you can do it.
1. Install Let’s Encrypt Client
Let’s Encrypt certificates are fetched from the certificate provider via their client (called Certbot) installed on your web server. So you can add download the latest version from their repository
$ sudo add-apt-repository ppa:certbot/certbot
Press ENTER to proceed. Then update the package list to get the new repository’s package information
$ sudo apt-get update
Finally, install Certbot from the repository
$ sudo apt-get install python-certbot-apache
2. Set up SSL Certificate
Once you have installed Certbot, it’s quite easy to generate the SSL certificate. Certbot will automatically generate, retrieve and install new SSL certificate for the domains that you specify as command arguments.
You can generate certificate for just a single domain (e.g example.com) with the command
$ sudo certbot --apache -d example.com
If you want to generate a single certificate for multiple sub domains, you can do that by passing them as additional parameters. The first argument is used as the base domain.
$ sudo certbot --apache -d example.com -d www.example.com -d blog.example.com
In case you have multiple virtual hosts, you should generate a new certificate for each of them, by running Certbot separately for each of them.
When you run the above command, Certbot will install all the required dependencies and then start an interactive step-by-step guide that allows you to customize certificate options. You’ll need to provide a lost key recovery email, specify whether you want both http & https or force all requests to https. It’s recommended to redirect all http requests to https, unless otherwise necessary.
After the installation is complete, your certificates will be present at /etc/letsencrypt/live.
Check the status of your SSL certificate with the following link. Replace example.com with your actual domain name
3. Test Certbot Auto renewal
Unlike the paid SSL certificates provided by certificate authorities like Comodo, RapidSSL, etc, that are valid for at least 1 year, Let’s Encrypt’s certificates are valid for only 90 days.
Luckily, Certbot has a feature to automatically renew certificates by running the certbot renew command twice a day, via systemd timer. If your linux doesn’t have systemd timer, then it is done via cron script placed at /etc/cron.d
Either way, it happens automatically and you don’t have to worry about it. Certbot will renew your certificate within 30 days of its expiry.
To be sure, you can even test the renewal on your own
$ sudo certbot renew --dry-run
If you get no error messages on running the above command, then it’s working properly, and Certbot will automatically renew your certificate.
In case the auto-renewal fails, Let’s Encrypt will send you an email to the email address you provided earlier, informing you that your certificate is about to expire.
That’s it! Now you know how to install Let’s Encrypt on Apache on Ubuntu 16.04.