Overview
Let’s Encrypt was a the beginning of a movement to encrypt all Internet traffic, as a response to increase security and privacy, Up until services like Let’s Encrypt became available, getting certificates for a web application was a costly pursuit, sometimes dwarfing to annual costs of just hosting your application. In this the tutorial, you will learn how to use Let’s Encrypt with Apache web server.
CertBot is the latest tool available from Let’s Encrypt. It’s a much simpler solution to automate the process of requesting and installing certificates, as compared with the original method.
The following instructions work on standalone Ubuntu 18.04 installations, such as bare metal, virtual machines, and Vagrant boxes, for example. They will also work with Google Compute Instances and AWS EC2 Instances.
Installing Certbot
Certbot is meant to be installed on the host running your web application. You must have administrative privileges to use this method.
Let’s Encrypt maintains an Ubuntu PPA. The following instructions will show you how to add it to your local repositories and then use it for installing Certbot.
Add the Let’s Encrypt PPA
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
Now install the Certbot package from the PPA
sudo apt install certbot python-certbot-apache
Certificate Installation
To install request and install Let’s Encrypt certificates for Apache, a plugin was developed by Let’s Encrypt. The plugin will automatically update your Apache configuration to install the latest certificates.
sudo certbot --apache
When you run the command for the first time, you will be prompt for information.
Enter email address (used for urgent renewal and security notices)
Read and then accept the Terms of Service
Since this your first usage of the command and you have not created a configuration for it, you will be prompted for the domain names to be added to your certificate. All names must have a valid A/AAA record registered that point the host you are running the command from.
No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated):
The out will look like the following
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): blog.rigpig.ca Obtaining a new certificate Performing the following challenges: http-01 challenge for blog.rigpig.ca Enabled Apache rewrite module Waiting for verification… Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
You will be prompted to select whether all HTTP traffic should be redirected to HTTPS. In most cases where you want traffic to be HTTPS, this is acceptable. However, you may decide to perform this action manually.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
Finally, on a successful configuration and certificate request using the Certbot, you will receive the following output.
Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf Congratulations! You have successfully enabled https://blog.rigpig.ca You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog.rigpig.ca IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/blog.rigpig.ca/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/blog.rigpig.ca/privkey.pem Your cert will expire on 2019-08-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Auto Renewal of Certificates
Aside from being able to request certificates for free, certificate renewals can be done automatically. This is the default behaviour of a new certbot installation, so no further work is needed on your side.
When certbot is installed a cronjob is created under /etc/cron.d. The cronjob will run automatically every 30 days. An example of the cronjob is shown below.
/etc/cron.d/certbot: crontab entries for the certbot package # Upstream recommends attempting renewal twice a day # Eventually, this will be an opportunity to validate certificates haven't been revoked, etc. Renewal will only occur if expiration is within 30 days. # Important Note! This cronjob will NOT be executed if you are running systemd as your init system. If you are running systemd, the cronjob.timer function takes precedence over this cronjob. For more details, see the systemd.timer manpage, or use systemctl show certbot.timer. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Listing Certificates
To list all of the installed certificates managed by Certbot, you can use the
sudo certbot certificates
Found the following certs:
Certificate Name: blog.rigpig.ca
Domains: blog.rigpig.ca
Expiry Date: 2019-08-30 11:41:53+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/blog.rigpig.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blog.rigpig.ca/privkey.pem
CloudFlare DNS Support
The instructions above for registering domain names for certificates will not work with CloudFlare. Certbot expects the domain name to be registered directly to the IP address of the Apache server, which would not be the case with CloudFlare operating as your DNS NameServer.
To enable CloudFlare support, install the certbot cloudflare DNS plugin.
sudo apt install python3-certbot-dns-cloudflare
