In this article, we will show you how to install the Let’s Encrypt client on your Ubuntu 20.04 VPS, issue an SSL certificate for your domain, and configure it with the Apache webserver.
Let’s Encrypt is a certificate authority organization (CA) that allows anyone to obtain a free SSL certificate with simple and automated commands. In this tutorial, we will use a tool called certbot
, which is an official part of EFF’s effort to encrypt the entire Internet. Thanks to this convenient tool, setting up an SSL certificate to protect your website’s visitors and improve your website’s security has never been easier. All SSL certificates provided by Let’s Encrypt can be used for production/commercial purposes without any costs or fees. Let’s begin with the installation and setup.
Let’s start with the installation – it is a simple installation and will not take long.
Prerequisites
- For the purposes of this tutorial, we will use an Ubuntu 20.04 VPS.
- User with sudo privileges or full SSH root access is required. All of our VPSes come with root access.
- A valid domain name pointed to your server’s IP address. In this tutorial, we will use
domain.com
as an example.
Table of Contents
1. Connect to your Server
Before we begin, you need to connect to your server via SSH as the root user. To do this, use the following command:
ssh root@IP_ADDRESS -p PORT_NUMBER
of course, you will need to replace IP_ADDRESS
and PORT_NUMBER
with your actual server IP address and SSH port number.
Once logged in, make sure that your server is up-to-date by running the following commands:
sudo apt update sudo apt upgrade
2. Install the Apache2 Web Server
We chose to use one of the most popular web servers in our article. We will be installing Apache2 since we need a web server on which to install the free Let’s Encrypt SSL certificate. There’s no point in having an SSL certificate without any web pages. Find out about some of the best free Let’s Encrypt alternatives.
Execute the following command to install Apache2:
sudo apt install apache2
Once Apache2 is installed on your server, you will be able to use the commands below to start, stop, and enable the service. We recommend enabling it so that Apache can start up automatically whenever your server reboots.
sudo systemctl stop apache2.service sudo systemctl start apache2.service sudo systemctl enable apache2.service
To confirm that you have properly installed Apache2, you can open your preferred web browser and type your server IP address or your domain (we assume it is pointed to your server) and you should be able to view the Apache2 Ubuntu Default Page.
3. Configure the Apache Virtual Host
Since you now have Apache installed on your server, we can continue and show you how to create a virtual host for the domain that you want to use. We will use nano as our editor, but if you do not prefer nano, you can use any editor of your choice and create a new configuration file called domain.com.conf
.
sudo nano /etc/apache2/sites-available/domain.com.conf
Then paste the configuration from below into the file, and replace all occurrences of domain.com
with your actual domain name.
<VirtualHost *:80> DocumentRoot /var/www/html/domain.com ServerName domain.com ServerAlias www.domain.com <Directory /var/www/html/domain.com/> Options FollowSymlinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
After you have finished with editing the file, save and close it.
Once you have configured the virtual host, you can enable it by executing the following commands.
Disable the default preinstalled virtual host with:
sudo a2dissite 000-default
then, enable the domain.com
virtual host:
sudo a2ensite domain.com.conf
also, you need to make sure that the mod rewrite
is enabled:
sudo a2enmod rewrite
Restart Apache so the changes will take effect.
sudo systemctl restart apache2.service
4. Install Certbot
As mentioned earlier, we will be using Certbot so that we can get a free SSL certificate from Let’s Encrypt. To install this useful tool, we need to enable the universe
repository:
sudo apt install software-properties-common sudo add-apt-repository universe sudo apt update
Run this command on the command line on the machine to install Certbot.
sudo apt install certbot python3-certbot-apache
5. Generate a Free Let’s Encrypt SSL Certificate
There are many ways to obtain an SSL certificate with Certbot. We will use the Apache plugin, which will take care of reconfiguring Apache’s Virtual Host and will reload the new configuration for us. You can run the following command to use the plugin:
sudo certbot --apache
Using this script, you need to answer a series of questions and provide an email address. In the first step, you need to type a valid email address. The email address is required for notifications and security notices regarding your website’s certificate:
Output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): you@domain.com
The next step is to confirm that you agree to the Let’s Encrypt terms of service. If you want to confirm, just type A and then press [ENTER]:
Output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
If you want to share the provided email address with the EFF (Electronic Frontier Foundation) to receive news and other information, you can type Y. If you do not want to receive this type of email, you can type N and submit your answer by typing [ENTER].
Output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
Now you need to select the domain you would like to activate HTTPS for. The domains and subdomains listed on your command prompt are automatically obtained from your Apache virtual host configuration. Type the numbers separated by commas and/or spaces, or if you’d like to enable HTTPS for all of the domains or subdomains, you can leave the prompt blank. Either way, you then press [ENTER] to proceed to the next step.
Output: Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: domain.com 2: www.domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
The output will be similar to this:
Output: Obtaining a new certificate Performing the following challenges: http-01 challenge for domain.com http-01 challenge for www.domain.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/domain.com-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/domain.com-le-ssl.conf
Certbot provides HTTPS redirection as an option that you can enable. In this step, the script will prompt you to select if you want the entire HTTP traffic to be redirected to HTTPS or to keep the current configuration. Select 1 if you do not want redirection or 2 to enable redirection, then press [ENTER].
Output: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Great job. Your SSL certificate is now installed and loaded in the Apache configuration. You will see output similar to the following:
Output: Redirecting vhost in /etc/apache2/sites-enabled/domain.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://domain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2021-09-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
To verify that your new SSL certificate is set up correctly, visit https://domain.com/
in your web browser and check for the green lock icon in the URL bar. You can also use an external website or tools to check if your SSL certificate is installed properly.
6. Verifying Certbot Auto-Renewal
SSL certificates provided by Let’s Encrypt are valid only for 90 days. The Certbot we have installed will set a cronjob that will take care of renewing any SSL certificate that is within thirty days of expiration. To check the status of this service, you can execute the command:
sudo systemctl status certbot.timer
Output: ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Thu 2021-06-11 11:33:00 UTC; 1h 37min ago Trigger: Thu 2021-06-11 15:52:01 UTC; 2h 41min left Triggers: ● certbot.service
or you can list all of the timers with:
sudo systemctl list-timers
You can test automatic renewal for your certificates by executing this command:
sudo certbot renew --dry-run
and the command to renew the SSL certificate can be found in one of the following locations:
/etc/crontab/ /etc/cron.*/*
Congratulations! You have successfully installed a free Let’s Encrypt SSL certificate for your domain.
In this article, we showed you how to install the Apache2 web server and Certbot, as well as how to create an Apache Virtual Host, and of course, install an SSL certificate for your domain. Your website should now be secure and automatically renew to stay that way.
Of course, if you are one of our Managed Ubuntu Hosting customers, you don’t have to install a Let’s Encrypt SSL certificate for your domain on your own – simply ask our admins, sit back, and relax. Our admins will install a Let’s Encrypt SSL certificate on your Ubuntu 20.04 VPS for you immediately, along with many useful optimizations that we can do for you.
If you liked this post about how to install Let’s Encrypt on Ubuntu 20.04 with Apache, please share it with your friends on social networks or simply leave a comment in the comments section. Thanks.
Great guide