In this article from the Linux Tutorials, we want to teach you How To Secure Apache with Let’s Encrypt on Ubuntu 22.04.
Let’s Encrypt is a free certificate authority developed by the Internet Security Research Group (ISRG).
Let’s Encrypt provide two types of certificates. The standard single-domain SSL and the Wildcard SSL cover not only a single domain; but all of its subdomains too. Both types of SSL certificates are issued for a period of 90 days, and on SiteGround servers when installed they have renewed automatically. These certificates are domain-validated, don’t require a dedicated IP, and are supported on all SiteGround hosting solutions.
Steps To Secure Apache with Let’s Encrypt on Ubuntu 22.04
Before you start to secure your Apache on Ubuntu 22.04, you need some requirements first.
Requirements
You need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our article the Initial Server Setup with Ubuntu 22.04.
Then, you need to have Apache installed on your server. To do this, you can follow our guide on How To Install the Apache Web server on Ubuntu 22.04.
Also, you need to have a domain name that is pointed to your server’s IP address.
Now follow the steps below to complete this guide.
Install certbot on Ubuntu 22.04
First of all, you need to install “certbot” to get an SSL certificate with Let’s Encrypt.
sudo apt install certbot python3-certbot-apache
Answer “y” to complete the installation.
Now certbot is now installed on your Ubuntu 22.04.
Configure Firewall
At this point, you need to allow HTTPS through the UFW firewall.
To verify what kind of traffic is currently allowed on your server, check the status:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
As you can see only HTTP traffic on port 80
is currently allowed.
To allow for HTTPS traffic, allow the “Apache Full” profile with the following command:
sudo ufw allow 'Apache Full'
Then, delete the Apache profile with the command below:
sudo ufw delete allow 'Apache'
Check your UFW status again:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Let’s get an SSL certificate for your domain name.
Get an SSL certificate from Let’s Encrypt on Ubuntu 22.04
You can get your SSL certificate with Let’s Encrypt by following these steps:
Run certbot Apache
sudo certbot --apache
It will ask you some questions. the first will ask you to enter your email address for renewal notifications and security notices:
Output
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
After entering your email address, press enter to the next step, you will be asked to confirm if you agree to Let’s Encrypt terms of service. press ‘A’ to accept and press enter to continue:
Output Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)agree/(C)cancel : A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
At this point, you will be asked to share your email address with the Electronic Frontier Foundation:
Otput Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)yes/(N)no: N
Press ‘N’ to continue, if you want to receive the information type ‘Y’.
At this point, It is important to set up correctly your virtual hostname at the beginning of the article. select the domains you want to activate HTTPS for.
Output Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: stacku.orcacore.net 2: www.stacku.orcacore.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1
you will see your output like this:
Output Obtaining a new certificate Performing the following challenges: http-01 challenge for stacku.orcacore.net Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/stacku.orcacore.net-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/stacku.orcacore.net-le-ssl.conf Enabling available site: /etc/apache2/sites-available/stacku.orcacore.net-le-ssl.conf
In the next step, you will be asked to choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
Output 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
At this point, the certbot configuration is finished. and you will see this in your output:
Output Congratulations! You have successfully enabled https://stacku.orcacore.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=stacku.orcacore.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/stacku.orcacore.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/stacku.orcacore.net/privkey.pem Your cert will expire on 2021-11-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
At this point, your certificate with Let’s Encrypt on Ubuntu 22.04 is now installed and loaded into Apache’s configuration.
Verify Certificates From Let’s Encrypt
Type your domain name in your web browser. You will see the lock icon in the address bar.
Also, you can use the SSL Labs server test to verify your certificate from Let’s Encrypt too. you go to the page and enter your hostname there.
Set up Auto-Renewal Of the Lets Encrypt Certifications on Ubuntu 22.04
In this article, we learn How to Secure Apache with Let’s Encrypt on Ubuntu 22.04 and configure it. Now, you should know, that Let’s Encrypt certificates are valid for 90 days, but it’s better to renew them every 60 days automatically.
sudo certbot renew --dry-run
You will see this in your output:
Output Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/stacku.orcacore.net/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Conclusion
At this point, you learn to Secure Apache with Let’s Encrypt on Ubuntu 22.04.
I hope you enjoy it.
You may be like these guides: