Securing Apache with Let’s Encrypt on Ubuntu 14.04

Introduction

This article is going to show you how to set up a TLS/SSL certificate with Let’s Encrypt on an Ubuntu 14.04 VPS using Apache as a web server. We will also be covering how to automate the certificate renewal process with a cron job.
SSL certificates are used in websites to encrypt the traffic between the server and the client, allowing extra security for users using your application. Let’s Encrypt will provide a simple way to get and install trusted certificates for free.

Prerequisites

You will require the following for this tutorial:

• An Ubuntu 14.04 VPS / Server with a non-root sudo
• The Apache web server installed with one or more domain names configured properly.

When you are ready to move on, log into your server with your sudo-enabled account.

1. Download the Let’s Encrypt Client

Install the certbot software on your server, the Certbot developers keep their own Ubuntu software repository holding up-to-date versions of the software.
Since Certbot is in a very active development it is worth to using this repository in order to install a newer Certbot than the one given by Ubuntu.
Begin by adding the repository.

sudo add-apt-repository ppa:certbot/certbot

You will have to press ‘ENTER’ to accept. Then, update the package list to get the repository’s new package information with the command below.

sudo apt-get update

Next, install Certbot from the new repository using apt-get.

sudo apt-get install python-certbot-apache

The certbot Let’s Encrypt client is now available for use.

2. Seting Up the SSL Certificate

Generating the SSL certificate for Apache with the certbot Let’s Encrypt client is straightforward. The client should automatically receive and install a new SSL certificate which is valid for the domains that were provided as parameters.
To begin running the interactive installation and receiving a certificate which covers only a single domain, run the certbot command with the below.

sudo certbot --apache -d domain.com

If you would like to install a single certificate valid for multiple domains or subdomains, then you may pass them as extra parameters to the command.
The first domain name in the list of parameters is going to be the base domain used by Let’s Encrypt to make the certificate, due to that reason we suggest that you pass the bare to-level domain name as your first one in the list accompanied by any extra subdomains or aliases.

 sudo certbot --apache -d domain.com -d www.domain.com

As an example, we will be using the base domain ‘domain.com‘.
You will be prompted to give an email address for lost key recovery and notices, then you will have to agree to the Let’s Encrypt terms of service.
You will now be asked to choose between enabling both http and https access or to cause all requests to redirect to https.
After the installation is done, you will be able to find the generated certificate files at ‘/etc/letsencrypt/live’.
You may verify the status of your SSL certificate using the following link, remmedering to switch ‘domain.com’ with your base domain.
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com&latest
You will now be able to access your website with a ‘https’ prefix.

3. Setting Up Auto Renewal

Let’s Encrypt’s certificates were created to be valid only for ninety days which encourages users to automate their certificate renewal process.
We will have to set up a normal run command in order to check for any expiring certificates and also to renew them automatically.
Use Cron in order to run the renewal check daily, it is a standard system service for running periodic jobs.
Now tell Cron what to do by opening and modifying a file called ‘crontab’.

 sudo crontab –e

The text editor should open the default ‘crontab’ which is a text file with some help text in it.
Now you should paste in the following line at the end of the file and afterwards save and close.

. . .
15 3 * * * /usr/bin/certbot renew –quiet

The ’15 3 * * *’ part of the line means ‘run the following command at 3:15 am, every day’. You, however, are free to choose any time you want.
There is a command called ‘renew’ which checks all certificates installed on the system and updates every one that is set to expire in less than thirty days.
‘–quiet’ will tell Certbot to not output information and neither wait for user input.
Now Cron will run this command daily and since you have installed your certificates with the ‘–-apache’ plugin; Apache will be reloaded to make sure the new certificates are used.

Conclusion

In this article you have seen how to install a free SSL certificate from Let’s Encrypt for you to be able to secure a web hosting with Apache. Be sure to check the official Let’s Encrypt blog for any important updates from time to time.