Install Let’s Encrypt SSL Certificate in Apache on Ubuntu 22.04

0

Let’s Encrypt is a certificate authority that provides free SSL certificates for websites. It was launched in 2014 to ensure all websites are secure and HTTPS. More than 250 million websites use it.

In addition to offering SSL certificates, it also handles implementation and automatic renewal of certificates through the Certbot client.

Here, we will see how to install Let’s Encrypt SSL Certificate in Apache on Ubuntu 22.04.

Prerequisites

Install Apache Webserver

Before proceeding further, install the Apache webserver on your system.

READ: How to Install LAMP Stack on Ubuntu 22.04

OR

Use the apt command to install the Apache webserver alone if you wish to host only a plain HTML site.

sudo apt update

sudo apt install -y apache2

Then, use the below command to enable SSL and rewrite modules.

sudo a2enmod ssl rewrite

Create Apache Virtualhost

First, create an Apache virtual host to serve the HTTP version of the website.

sudo nano /etc/apache2/sites-available/www.itzgeek.net.conf

Then, use the below configuration for your website. Do remember to change ServerName, ServerAlias, and Directory stanza based on your requirement. If you do not use the www subdomain, you can remove the ServerAlias.

<VirtualHost *:80>

   ServerName itzgeek.net
   ServerAlias www.itzgeek.net
   ServerAdmin [email protected]
   DocumentRoot /var/www/html/www.itzgeek.net


   ErrorLog ${APACHE_LOG_DIR}/www.itzgeek.net_error.log
   CustomLog ${APACHE_LOG_DIR}/www.itzgeek.net_access.log combined


   <Directory /var/www/html/www.itzgeek.net>
      Options FollowSymlinks
      AllowOverride All
      Require all granted
   </Directory>

</VirtualHost>

Once you have created the virtual host configuration file, enable the website.

sudo a2ensite www.itzgeek.net

Next, create a root directory to hold your website’s files.

sudo mkdir -p /var/www/html/www.itzgeek.net/

Then, change the ownership and group of the directory.

sudo chown -R www-data:www-data /var/www/html/www.itzgeek.net/

Finally, place the test HTML file on the website’s document root.

echo "This is a test site @ www.itzgeek.net" | sudo tee /var/www/html/www.itzgeek.net/index.html

Then, restart the Apache service to re-read the configurations.

sudo systemctl restart apache2

Install Let’s Encrypt SSL Certificate in Apache

Create / Update DNS Record

To generate a Let’s Encrypt SSL certificate, you must point your domain to the server IP. So, go to your domain registrar and create an A/CNAME record for the domain. For example, the below image shows the A/CNAME records for the domain www.itzgeek.net.

NOTE: After making changes in the DNS records, you will need to wait for a few minutes to hours to reflect, depending on the TTL you set for the record.

DNS Records
DNS Records

Install Certbot

The Certbot ACME client handles the certificate issuance and installation without downtime. It is available as a snap package for Ubuntu operating system. So, first, install the Snapd package.

sudo apt update

sudo apt install -y snapd

Then, update the snapd to the latest version.

sudo snap install core; sudo snap refresh core

Finally, install the Certbot client using the snap command.

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install Let’s Encrypt Certificate

Use the certbot command to create a Let’s Encrypt certificate and configure Apache to use the certificate.

sudo certbot --apache

You will need to follow the interactive prompt and install the certificate. Since I have two domains, I will install SSL certificates for both domains.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected] << Enter Email ID

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y  << Agree to Terms and Conditions

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N << Subscriber to Newsletter
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: itzgeek.net
2: www.itzgeek.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2 << Select the site to Install Let's Encrypt SSL Certificate
Requesting a certificate for itzgeek.net and www.itzgeek.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/itzgeek.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/itzgeek.net/privkey.pem
This certificate expires on 2022-08-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for itzgeek.net to /etc/apache2/sites-available/www.itzgeek.net-le-ssl.conf
Successfully deployed certificate for www.itzgeek.net to /etc/apache2/sites-available/www.itzgeek.net-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://itzgeek.net and https://www.itzgeek.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Once you activate HTTPS for your domain, the Certbot client will add rewrite rules to redirect traffic from HTTP to the HTTPS site.

By default, it places two rules for redirections.

  1. http://itzgeek.net >> https://itzgeek.net
  2. http://www.itzgeek.net >> https://www.itzgeek.net

As you can see, the first redirection has not reached the www HTTPS version of the domain. So, you may need to follow the below section to set it up. If you do not use the www domain, you can skip the next section.

Redirect non-www HTTP requests to www HTTPS with Apache

You may want to configure the Apache webserver to redirect the traffic from the non-www HTTP site to the WWW HTTPS site, I.e., http://itzgeek.net >> https://www.itzgeek.net.

So, edit the Let’s Encrypt SSL virtual host file (not your original virtual host file).

sudo nano /etc/apache2/sites-available/www.itzgeek.net-le-ssl.conf

Then, add the below rules before the </VirtualHost>. Change the domain name as per your requirement.

    # Redirect NON-WWW HTTP to WWW HTTPS
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =itzgeek.net
    RewriteRule ^ https://www.itzgeek.net%{REQUEST_URI} [END,NE,R=permanent]1,L]

Finally, restart the Apache service.

sudo systemctl restart apache2

Verify Let’s Encrypt Certificate

You can verify the Let’s Encrypt certificate by visiting your website.

http://your-http-web-site

OR

https://your-https-web-site

You should get the HTTPS version of your site now.

Let's Encrypt SSL Certificate
Let’s Encrypt SSL Certificate

Test SSL Certificate

Test your Let’s Encrypt SSL certificate for any issues and its security ratings by going to the below URL.

https://www.ssllabs.com/ssltest/analyze.html?d=www.itzgeek.net

Renew Let’s Encrypt Certificate

By default, Let’s Encrypt certificates have 90 days of validity and have to be renewed on time. However, the renewal process is now automated through a systemd service provided by the Certbot client. So, you do not have to renew them manually.

However, it is recommended to simulate certificate renewals to ensure no issues.

sudo certbot renew --dry-run

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/itzgeek.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for itzgeek.net and www.itzgeek.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/itzgeek.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The above output confirms that the test renewal is successful, and the automatic renewal will happen as expected.

Conclusion

That’s All. I hope you learned how to install Let’s Encrypt SSL Certificate in Apache on Ubuntu 22.04.

You might also like