Let’s Encrypt issues free certificate to secure websites. Without SSL certificate, browsers show your website unsecured. Let’s Encrypt is a certificate authority created by the Internet Security Research Group (ISRG). It provides free SSL certificates via a fully automated process designed to eliminate manual certificate creation, validation, installation, and renewal.
Certificates issued by Let’s Encrypt are valid for 90 days from the issue date and trusted by all major browsers today. However, you can renew it anytime. Even network administrators prefer to setup cronjobs for automatic renewal of Let’s Encrypt certificate on expiry.
This tutorial explains how to install a free Let’s Encrypt SSL certificate on Ubuntu 20.04, running Apache as a web server. We shall also show how to configure Apache to use the SSL certificate and enable HTTP/2. HTTP/2 is faster and lightweight.
Table of Contents
Prerequisites
- You must be registered with Alibaba Cloud.
- You must have added and verified your payment method.
- If you are new user, after payment method verification you can claim free $450 – $1300 credits. You can register new account and claim your free credits.
- To setup up your ECS for first time, you can refer to this tutorial or quick-start guide.
- Domain registration is recommended for setting up FQDN hostname of your server. But if you are willing to use IP address directly, you may skip this.
- If you have registered domain with any 3rd party, you may transfer in to Alibaba Cloud.
- If you are using domain name, remember to point your domain name to IP address of your server.
- You should setup your server’s hostname.
- Access to VNC console in your Alibaba Cloud or SSH client installed in your PC.
- Login as root user and create user with sudo privileges.
Install Certbot
We shall use certbot to obtain the certificate from Let’s Encrypt. It is a command-line tool that automates the tasks for obtaining and renewing Let’s Encrypt SSL certificates.
The certbot package is included in the default Ubuntu repositories. Update the packages list and install certbot using the following commands:
~ sudo apt update ~ sudo apt install certbot
Generate Strong Dh (Diffie-Hellman) Group
Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel. This is used to enhance security. Generate a new set of 2048 bit DH parameters to strengthen the security:
~ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
We have used size 2048, but you can increase it upto 4096, however, based on system entropy, system may take more time to generate key.
Obtain a Let’s Encrypt SSL certificate
To obtain an SSL certificate for the domain, we are going to use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot runs.
To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.
Run the following commands to create the directory and make it writable for the Apache server.
~ sudo mkdir -p /var/lib/letsencrypt/.well-known ~ sudo chgrp www-data /var/lib/letsencrypt ~ sudo chmod g+s /var/lib/letsencrypt
To avoid duplicating code and make the configuration more maintainable, create the following two configurations snippets:
Create at location /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
Create at location /etc/apache2/conf-available/ssl-params.conf
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" Header always set Strict-Transport-Security "max-age=63072000"
The snippet above is using the chippers recommended by Mozilla, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces few security‑focused HTTP headers.
Before enabling the configuration files, make sure both mod_ssl and mod_headers are enabled by issuing:
~ sudo a2enmod ssl ~ sudo a2enmod headers
Next, enable the SSL configuration files by running the following commands:
~ sudo a2enconf letsencrypt ~ sudo a2enconf ssl-params
Enable the HTTP/2 module, which will make your sites faster and more robust:
~ sudo a2enmod http2
Reload the Apache configuration for changes to take effect:
~ sudo systemctl reload apache2
We can now run the Certbot tool with the webroot plugin and obtain the SSL certificate files:
~ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
If the SSL certificate is successfully obtained, certbot will print the following message:
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-10-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now that you have the certificate files, edit your domain virtual host at location /etc/apache2/sites-available/example.com.conf configuration as follows:
<VirtualHost *:80>
ServerName mail.websoft.ltd
Redirect permanent / https://mail.websoft.ltd/
</VirtualHost>
<VirtualHost *:443>
ServerName mail.websoft.ltd
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.mail.websoft.ltd'">
Redirect permanent / https://mail.websoft.ltd/
</If>
DocumentRoot /var/www/mail.websoft.ltd/public_html
ErrorLog ${APACHE_LOG_DIR}/mail.websoft.ltd-error.log
CustomLog ${APACHE_LOG_DIR}/mail.websoft.ltd-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mail.websoft.ltd/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.websoft.ltd/privkey.pem
# Other Apache Configuration
</VirtualHost>
With the configuration above, we are forcing HTTPS and redirecting from www to non-www version. Fell free to adjusts the configuration according to your needs.
Reload the Apache service for changes to take effect:
~ sudo systemctl reload apache2
You can now open your website using https://, and you’ll notice a green lock icon.
If you test your domain using the SSL Labs Server Test, you’ll get an A+ grade, as shown below:
Setting Cron Job for Auto-Renewal of Let’s Encrypt SSL certificate
Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cronjob that runs twice a day and automatically renews any certificate 30 days before its expiration.
Once the certificate is renewed we also have to reload the Apache service. Append –renew-hook “systemctl reload apache2” to the /etc/cron.d/certbot file so that it looks like the following:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"
To test the renewal process, you can use the certbot –dry-run switch:
sudo certbot renew --dry-run
If there are no errors, it means that the renewal process was successful.
In this tutorial, we talked about how to use the Let’s Encrypt client certbot on Ubuntu 20.04 to obtain SSL certificates for your domains. We have also shown you how to configured Apache to use the certificates and set up a cronjob for automatic certificate renewal.
To learn more about the Certbot script, visit the Certbot documentation.