Skip to content

Secure Apache In No Time, For Free, With an SSL Certificate From Let’s Encrypt!

Recently, I found out about a non-profit organization called Let’s Encrypt, which came into existence earlier this year.  Let’s Encrypt is a publicly trusted certificate authority that issues FREE SSL certificates.  The SSL Certificates are fully functional and extremely easy to request and install.  In fact, using Let’s Encrypt, it only takes about a minute to request and install an SSL certificate on Apache via the Linux command line, using a few simple commands.  If you have a Linux server(s) running any sort of public facing web server, there is no reason not to do this right now.  Here’s how to do it on Ubuntu 16.04 (although it should be the same process on any version of Ubuntu)!

 

Prerequisites

To install an SSL certificate from Let’s encrypt using this guide, you will need a couple things.

  • A server running Ubuntu 16.04 (although this should work on any version of Ubuntu)
  • Apache installed with a domain name(s) that is resolvable to the IP of the server.
    • If you are hosting multiple domains, you will need to be sure you have Virtual Hosts configured that properly specify the ServerName variable.

 

Install the Let’s Encrypt Client

 

To make things easy, there is a client available, based on python, that will do all of the hard work for you.  The package is called python-letsencrypt-apache.  Let’s use Aptitude to install it.

 


#  sudo apt-get update

# sudo apt-get install python-letsencrypt-apache

 

The client is now installed and we can move on to setting up the SSL certificate.

Requesting & Installed the SSL Certificate

 

The Let’s Encrypt client will automatically request, obtain, and install an SSL certificate that will be valid for whichever domain(s) you specify.

To request and install a domain for a single domain (base domain as well as www.) hosted on your server, you simply need to run one command. (be sure to replace yourdomain.com with your actual domain name)

 


#  letsencrypt --apache -d yourdomain.com -d www.yourdomain.com

 

First, you will be asked for a valid email address.

 

letsencryp1

 

Next, you can select whether or not your would like Apache to redirect http requests to https.  basically, if someone goes to http://yourdomain.com they will be autoredirected to https://yourdomain.com.  I suggest selecting “Secure” so all connections are secured with https, unless you have a reason not to.

 

letsencryp2

 

That’s it!  Yes, it’s that easy.  And it’s even installed and configured in Apache now, automatically.

 

letsencryp4

 

If you need to install an SSL certificate that is valid for more than one domain name hosted on your server, you simply use the -d switch to specify each one, like this.  (obviously you need to replace yourdomain.com, seconddomain.com and so on with your domain names, just be sure your base domain name is first.)

 


#  sudo letsencrypt --apache -d yourdomain.com -d seconddomain.com -d thirddomain.com

 

Now that you’re ssl certificate is installed, let’s make sure it’s working properly.  Open a fresh browser window and navigate to https://yourdomain.com  or  use the free ssllabs service to fully test your domain.  To use ssllabs, replace yourdomain.com in the link below with your actual domain name.

 

https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com&latest

 

Mine looks like this.

 

letsencryp5

 

Last Step – Auto Renewal

 

Let’s Encrypt certificates are only valid for 90 days.  That might seem like a short amount of time, but you can always renew your SSL certificate before 90 days.  You may be thinking “I don’t want to  have to do this every 90 days, what a pain!!!!”  The good news is, we’re going to automate it, so you don’t have to!

 

To manually renew your Let’s Encrypt certificate, this is the command that would do so.

 


#  sudo letsencrypt renew

 

We don’t need to run it right now.  If you did, it would let you know it’s not due for renewal yet and skip the renewal.  If you were within 30 days of your exipration date, it would automatically renew your certificate with no intervention.

To automate this process, so it renews forever, we will add a single line to crontab, which will run the renewal command automatically, once a week.  When it’s within 30 days of expiration, it will automatically renew and will require no effort on your part.  Let’s go ahead and open crontab.

 


#  sudo crontab -e

 

You might be asked to select an editor.  If so, I highly suggest nano.  It’s like notepad, and all you will need to do to exit is a Ctrl-X, Y, Enter.  I will hit enter to select nano, because it’s the default (2).

 

letsencryp6

 

At the bottom of your crontab, add the following line.

 

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log

 

Here is what mine looks like.

 

letsencryp7

 

After adding the new crontab entry, do a Ctrl-X, then hit Y (to save), then Enter.  Now your certificate will attempt to auto-renew every Monday at 2:30am.  Also, it will log all results to a log file in /var/log/le-renew.log.

 

Summary

 

So, we have installed the Let’s Encrypt client, requested & installed a new SSL certificate, and configured crontab to run an auto renewal every week.  Remember, the certificate will only renew when it’s in the 60-90 day window, so it will simply skip the renewal every time it’s automatically ran until then.  This is a great hands-off way to set things up so you don’t have to continually renew manually.  I hope you found this tutorial helpful.  If you ran into any problems, need help, or just want to say hi, please leave a comment below!  Thanks!