Install the Apache webserver and Enable SSL Module.

If we don’t have Apache web server already installed on our machine issue, install apache daemon:

$ sudo apt-get install apache2

SSL module activation for the Apache webserver on Ubuntu is quite straightforward. Enable SSL module and activate apache default SSL virtual host by issuing the below commands:

$ sudo a2enmod ssl
$ sudo a2ensite default-ssl.conf
$ sudo service apache2 restart
or
$ sudo systemctl restart apache2.service

Visitors can now access your domain name via HTTPS protocol. However, because your server self-signed certificate is not issued by a trusted certificate authority an error alert would be displayed on their browsers as https://yourdomain.com/ (privacy error).

Install Free Let’s Encrypt Client.

In order to install Let’s Encrypt software on your server, you need to have the git package installed on your system.

$ sudo apt-get -y install git

Next, choose a directory from your system hierarchy where you want to clone the Let’s Encrypt git repository. Switch to /usr/local directory and install Let’s Encrypt client by issuing the following commands:

$ cd /usr/local
$ sudo git clone https://github.com/letsencrypt/letsencrypt

Generating an SSL Certificate for Apache webserver.

The process of obtaining an SSL Certificate for Apache is automated thanks to the Apache plugin. Generate the certificate by issuing the following command against your domain name. Provide your domain name as a parameter to the -d flag.

$ cd /usr/local/letsencrypt
$ sudo ./letsencrypt-auto --apache -d your_domain.tld

For instance, if you need the certificate to operate on multiple domains or subdomains add them all using the -d flag for each extra valid DNS record after the base domain name.

$ sudo ./letsencrypt-auto --apache -d your_domain.tld -d www. your_domain.tld

Agree on the license, enter an email address for recovery, and choose whether clients can browse your domain using both HTTP protocols (secure and insecure) or redirect all non-secure requests to HTTPS. After the installation process finishes successfully a congratulation message is displayed on your console informing you about the expiration date and how you can test the configuration as illustrated on the below screenshots. Now you should be able to find your certificate files at /etc/letsencrypt/live directory with a simple directory listing.

$ sudo ls /etc/letsencrypt/live

Finally, to verify the status of your SSL Certificate visits the following link. Replace the domain name accordingly.

https://www.ssllabs.com/ssltest/analyze.html?d=your_domain.tld&latest

Also, visitors can now access your domain name using HTTPS protocol without any error appearing in their web browsers.

Setting up the auto-renew regime of Lets Encrypt Certificates.

By default, certificates issued by Let’s Encrypt authority are valid for 90 days. In order to renew the certificate before the expiration date, you must manually run the client again using the exact flags and parameters as earlier.

$ sudo ./letsencrypt-auto --apache -d your_domain.tld

Or in case of multiple subdomains:

$ sudo ./letsencrypt-auto --apache -d your_domain.tld -d www. your_domain.tld

The certificate renewal process can be automated to run in less than 30 days before the expiration date by using Linux schedule cron daemon.

$ sudo crontab -e

Add the following command at the end of the crontab file using one line only:

0 1 1 */2 * cd /usr/local/letsencrypt && ./letsencrypt-auto certonly --apache --renew-by-default --apache -d domain.tld >> /var/log/domain.tld-renew.log 2>&1

Details about your renewal domain configuration file for Let’s Encrypt software can be found in /etc/letsencrypt/renewal/ directory.

$ cat /etc/letsencrypt/renewal/caeszar.tk.conf

You should also check the file /etc/letsencrypt/options-ssl-apache.conf to view the newly SSL configuration file for Apache webserver.

Also, Let’s encrypt the apache plugin modifies some files in your webserver configuration. In order to check what files had been modified, list the content of /etc/apache2/sites-enabled directory.

# ls /etc/apache2/sites-enabled/
# sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

That’s it.

Previous

LAMP stack, Ubuntu 16.04 and WordPress CMS

Next

www.bavel.io