Using Let’s Encrypt with Apache on Ubuntu 18.04

Overview

Let’s Encrypt was a the beginning of a movement to encrypt all Internet traffic, as a response to increase security and privacy, Up until services like Let’s Encrypt became available, getting certificates for a web application was a costly pursuit, sometimes dwarfing to annual costs of just hosting your application. In this the tutorial, you will learn how to use Let’s Encrypt with Apache web server.

CertBot is the latest tool available from Let’s Encrypt. It’s a much simpler solution to automate the process of requesting and installing certificates, as compared with the original method.

The following instructions work on standalone Ubuntu 18.04 installations, such as bare metal, virtual machines, and Vagrant boxes, for example. They will also work with Google Compute Instances and AWS EC2 Instances.

Installing Certbot

Certbot is meant to be installed on the host running your web application. You must have administrative privileges to use this method.

Let’s Encrypt maintains an Ubuntu PPA. The following instructions will show you how to add it to your local repositories and then use it for installing Certbot.

Add the Let’s Encrypt PPA


sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot

Now install the Certbot package from the PPA


sudo apt install certbot python-certbot-apache

Certificate Installation

To install request and install Let’s Encrypt certificates for Apache, a plugin was developed by Let’s Encrypt. The plugin will automatically update your Apache configuration to install the latest certificates.


sudo certbot --apache

When you run the command for the first time, you will be prompt for information.

Enter email address (used for urgent renewal and security notices)

Read and then accept the Terms of Service

Since this your first usage of the command and you have not created a configuration for it, you will be prompted for the domain names to be added to your certificate. All names must have a valid A/AAA record registered that point the host you are running the command from.

No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated):

The out will look like the following

Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator apache, Installer apache
 No names were found in your configuration files. Please enter in your domain
 name(s) (comma and/or space separated)  (Enter 'c' to cancel): blog.rigpig.ca
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for blog.rigpig.ca
 Enabled Apache rewrite module
 Waiting for verification…
 Cleaning up challenges
 Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
 Enabled Apache socache_shmcb module
 Enabled Apache ssl module
 Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
 Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

You will be prompted to select whether all HTTP traffic should be redirected to HTTPS. In most cases where you want traffic to be HTTPS, this is acceptable. However, you may decide to perform this action manually.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 

Finally, on a successful configuration and certificate request using the Certbot, you will receive the following output.

Enabled Apache rewrite module
 Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
 
 Congratulations! You have successfully enabled https://blog.rigpig.ca
 You should test your configuration at:
 https://www.ssllabs.com/ssltest/analyze.html?d=blog.rigpig.ca
 
 IMPORTANT NOTES:                                                                                                                                                                                                                                                                                                                        
 Congratulations! Your certificate and chain have been saved at:                                                                                                                                                                                                                                                                      
 /etc/letsencrypt/live/blog.rigpig.ca/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/blog.rigpig.ca/privkey.pem
 Your cert will expire on 2019-08-30. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot again
 with the "certonly" option. To non-interactively renew all of
 your certificates, run "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le 

Auto Renewal of Certificates

Aside from being able to request certificates for free, certificate renewals can be done automatically. This is the default behaviour of a new certbot installation, so no further work is needed on your side.

When certbot is installed a cronjob is created under /etc/cron.d. The cronjob will run automatically every 30 days. An example of the cronjob is shown below.

/etc/cron.d/certbot: crontab entries for the certbot package
 #
 Upstream recommends attempting renewal twice a day
 #
 Eventually, this will be an opportunity to validate certificates
 haven't been revoked, etc.  Renewal will only occur if expiration
 is within 30 days.
 #
 Important Note!  This cronjob will NOT be executed if you are
 running systemd as your init system.  If you are running systemd,
 the cronjob.timer function takes precedence over this cronjob.  For
 more details, see the systemd.timer manpage, or use systemctl show
 certbot.timer.
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Listing Certificates

To list all of the installed certificates managed by Certbot, you can use the certbot certificates command. The command will output details about each certificate, such as expiration date and the path the certificate files.


sudo certbot certificates

 Found the following certs:
   Certificate Name: blog.rigpig.ca
     Domains: blog.rigpig.ca
     Expiry Date: 2019-08-30 11:41:53+00:00 (VALID: 89 days)
     Certificate Path: /etc/letsencrypt/live/blog.rigpig.ca/fullchain.pem
     Private Key Path: /etc/letsencrypt/live/blog.rigpig.ca/privkey.pem

CloudFlare DNS Support

The instructions above for registering domain names for certificates will not work with CloudFlare. Certbot expects the domain name to be registered directly to the IP address of the Apache server, which would not be the case with CloudFlare operating as your DNS NameServer.

To enable CloudFlare support, install the certbot cloudflare DNS plugin.


sudo apt install python3-certbot-dns-cloudflare