Secure Apache with HTTPS Using Let's Encrypt
To configure HTTPS for Apache using Let's Encrypt to obtain SSL certificates, the following steps must be performed.
This procedure assumes that:
- You have an Apache web server in place and working.
- You have one or more domain names properly configured.
1 - Download the Let's Encrypt client
The first step to using Let's Encrypt to obtain an SSL certificate is to install the certbot
software on your server.
Download the following package, using the package manager for your server:
python-certbot-apache
2 - Open up firewall
If you have any firewall configured, ensure to allow HTTPS traffic on port 433.
3 - Set up the SSL Certificate
1) Certbot automates this process using the following command. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
In this case, example.com will be used as an example domain. Multiple domains can be added using the -d option
The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason, it is recommended that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:
~$ sudo certbot --apache -d example.com -d www.example.com
For this example, the base domain will be example.com.
2) You will be prompted to provide an email address for lost key recovery and notices, and you will need to agree to the Let's Encrypt terms of service. You'll then be asked to choose between enabling both http
and https
access or force all requests to redirect to https
.
It is recommended to force all requests to redirect to https
for maximum security.
3) When the installation is complete, you should be able to find the generated certificate files at:
/etc/letsencrypt/live
4 - Set up Auto Renewal
Let's Encrypt SSL certificates are only valid for 90 days, so it is advised to set up an auto renewal to ensure the certificates remain valid.
To do this use the sudo crontab:
~$ sudo crontab -e
CODEYour text editor will open the default crontab which is a text file with some help text in it. Paste the following line at the end of the file, then save and close it:
15 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
CODE
The 15 3 * * * part of this line means "run the following command at 3:15 am, every day". You can choose and configure any time to run the command.
This will run the renew command for Certbot and will check all certificates installed on the system and update any that are set to expire in less than thirty days
It will also send the output to the le-renew.log file.