How to Install LetsEncrypt SSL Certificate on Ubuntu 18.04
This tutorial explains how to install letsencrypt SSL certificate for Apache web server on Ubuntu 18.04. Let's Encrypt is a non-profit CA with the goal of providing free SSL/TLS certificates to all websites on the internet. Let’s Encrypt provides trusted certificate through an automated process without any cost.
Prerequisites and requirements
To install letsencrypt certificate you need to have shell access to the server with administrative privileges.
It is expected that Apache web server has been installed and that it is currently running. If Apache has not been installed already, install it by following the instructions given in following link.
How to Install Apache on Ubuntu 18.04 Server
We also assume you already have a virtual host configured for the HTTP (non secure) version of your website with basic parameters:
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
During the process, a new virtual host config for the SSL site will be created automatically based on the this configuration.
DNS..
DNS records should be pre-exist to prove the ownership of the domain name. Your website should point to the IP address of your Ubuntu server 18.04.
If you can't point your website to the server before installing the certificate, You can use DNS-01 validation method to prove the ownership of the domain name.
How to get a Let’s Encrypt Certificate before DNS is moved (DNS-01 validation)
How to do it…
The steps to install Let’s Encrypt certificate for Apache on Ubuntu 18.04 are as follows:
- Install Certbot ACME client.
- Install the SSL/TLS Certificate.
- Verify the VirtualHost file.
- Automate the renewal process.
Run the following commands to install Certbot on Ubuntu 18.04:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
With Certbot in place, we will install a certificate for our domain name (modify the domain name as appropriate in the command):
certbot --apache -d example.com -d www.example.com
When we first run certbot command, we must provide a valid e-mail address for correspondence about our certificates. Then, you should must agree Terms of Service (Press A on the keyboard and press enter to accept Terms of Service):
(A)gree/(C)ancel: A
Finally, it will ask to choose whether or not to redirect HTTP traffic to HTTPS. You should not redirect HTTP traffic to HTTPS at this point. So answer with 1 for No redirect.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
That is all we need to do!
The certbot command also creates a new virtual host config file for our SSL website under the /etc/apache2/sites-available directory (e.g. example.com-le-ssl.conf):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
The config file is enabled by default, so at this point you should be able to access your website using the https protocol.
Automate the renewal process
Letsencrypt SSL certificates are valid only for 90 days. Thus, the certificate needs to be renewed periodically. You can run the following command to renew all certificates on your Ubuntu 18.04 server:
sudo certbot renew
The Ubuntu certbot client comes with a cron job (/etc/cron.d/certbot) that will renew your certificates automatically before they expire:
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
This cron job will execute the certbot renew command in every 12 hours and will renew certificates that are near expiry.
Note that your SSL certificate, private key, account credentials and everything else are saved in your Certbot configuration directory at /etc/letsencrypt. Make Sure to keep regular backups of this folder.
Just like that you can get free SSL certificate for all of your websites from the Let's Encrypt.