Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides TLS/SSL certificates for web servers. It simplifies the process of obtaining and installing certificates by providing a software client called Certbot that automates most of the steps.
In this guide, you will learn how to use Certbot to secure your Apache web server with Let’s Encrypt on Debian or Ubuntu.
If you already have your own SSL files (private key, public key, intermediate key) then you can follow this guide instead.
Prerequisites
Before you begin, you will need:
- A Debian or Ubuntu server with sudo access.
- A fully registered domain name that points to your server’s IP address. For example,
your_domain.comandwww.your_domain.com. You can use any domain registrar of your choice. - Apache installed and running on your server.
- A virtual host file for your domain in
/etc/apache2/sites-available/. For example,/etc/apache2/sites-available/your_domain.conf.
Step 1: Installing Certbot
The first step is to install Certbot on your server. Certbot is available as a snap package for Debian, which is an easy way to install software that is always up-to-date.
To install Certbot as a snap package, you need to have snapd installed on your server. snapd is a daemon that allows you to manage snaps. Snap packages are a modern approach that work on nearly all Linux distributions and provide up-to-date versions of software.
To install snapd, run the following command as sudo:
sudo apt update
sudo apt install snapd
sudo snap install coreOnce snapd is installed, you can install Certbot with this command:
sudo snap install --classic certbotThis will download and install Certbot as a snap package.
To make sure Certbot is installed correctly, run this command:
sudo certbot --versionYou should see something like this:
certbot 1.29.0This means Certbot is installed successfully.
Step 2: Setting Up SSL Configuration in Apache
Before obtaining an SSL certificate from Let’s Encrypt, you need to make sure that your Apache virtual host file has a ServerName directive that matches your domain name.
To check your virtual host file, open it with your preferred text editor. For example:
sudo nano /etc/apache2/sites-available/your_domain.confLook for the line that starts with ServerName and make sure it has your domain name after it. For example:
ServerName your_domain.comIf you have multiple domains or subdomains that point to the same server, you can also add them as ServerAlias directives below the ServerName. For example:
ServerAlias www.your_domain.com blog.your_domain.comThis will allow you to obtain one certificate for multiple domains or subdomains.
Save and close the file when you are done editing it.
Next, enable the SSL module for Apache with this command:
sudo a2enmod sslThis will enable HTTPS connections on your web server.
Restart Apache for the changes to take effect:
sudo systemctl restart apache2.serviceStep 3: Obtaining an SSL Certificate
To obtain an SSL certificate from Let’s Encrypt using Certbot, you need to use the --apache plugin that will automatically configure Apache for HTTPS.
To do so, run this command as sudo:
sudo certbot --apacheThis will start an interactive process that will ask you a few questions.
First, you will be asked to enter your email address. This is used for sending renewal reminders and security notices. Enter a valid email address and press ENTER.
Next, you will be asked to agree to the terms of service. Press A and then ENTER to agree.
Then, you will be asked if you want to share your email address with the Electronic Frontier Foundation (EFF), a nonprofit organization that advocates for digital rights. You can choose Yes or No depending on your preference.
After that, Certbot will scan your Apache configuration files and display a list of domains that it can obtain certificates for. You can choose to obtain a certificate for one or more domains by entering their corresponding numbers separated by commas. For example:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - -
1: your_domain.com
2: www.your_domain.com
3: blog.your_domain.com
- - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel): 1,2This will obtain a certificate for your_domain.com and www.your_domain.com.
Alternatively, you can leave the input blank and press ENTER to select all options shown.
Finally, Certbot will ask you how you want to configure your HTTPS settings. You have two options:
- Easy: This option will redirect all HTTP traffic to HTTPS automatically. This is recommended for most websites as it provides better security and performance.
- Secure: This option will make all requests for HTTP fail with an error message. This is more secure but may cause compatibility issues with some clients.
Choose your preferred option by typing 1 or 2 and pressing ENTER.
Certbot will then obtain an SSL certificate for your domain(s) and configure Apache to use it. It will also create a cron job that will automatically renew your certificate before it expires.
You should see a message like this when the process is complete:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain.com/privkey.pem
Your cert will expire on 2022-01-01. To obtain a new or tweakedversion of this certificate in the future, simply run certbot againwith the "certonly" option. To non-interactively renew *all* ofyour certificates, run "certbot renew"
- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leThis means that your SSL certificate is successfully installed and configured!