How to Configure Let’s Encrypt SSL on Apache (Ubuntu 16.04 / 17.10)

Last updated on

In this guide we will configure Let’s Encrypt SSL on Apache (Ubuntu 16.04 / 17.10).

Prerequisites

You should be using a non-root user account with sudo privileges. See Initial Server Setup for details.

1. Install Let’s Encrypt client (Certbot)

Add certbot to the repository. This is the Let’s Encrypt client.

sudo add-apt-repository ppa:certbot/certbot

Press ENTER if prompted.

Now update package list and install certbot.

sudo apt-get update
sudo apt-get install python-certbot-apache

2. Get an SSL Certificate

We will now obtain a cert for our domain. If you want to use the www prefix for your domain, you will need to obtain a cert for that as well. Even if you’re only redirecting www.example.com to example.com using .htaccess for example, you will still need a separate cert for the www sub domain. Use -d to add even more domains or sub domains if you wish.

sudo certbot --apache -d example.com -d www.example.com

Follow the instructions. you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.

Important Notice (Feb 2018): If you see an error “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.” you must read this article before continuing.

A successful install will look be similar to below.

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/example.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate for example.com to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/example.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-available/example.com.conf to ssl vhost in /etc/apache2/sites-available/example.com-le-ssl.conf

If you have Cloudflare enabled for this domain, log in to Cloudflare, go to Crypto and make sure SSL is set to Full (Strict)

3. Test SSL

You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.

A successful test should receive an A rating.

6. Auto Renewal

As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.

To test that this renewal process is working correctly, you can run:

sudo certbot renew --dry-run

Cloudflare Users

Please ensure your Cloudflare SSL settings are correct. Log in to Cloudflare, go to Crypto and make sure SSL is set to Full (Strict)

4. Set Up Auto Renewal

As these certs expire after 90 days, we need to schedule a cron job to do it for us automatically.

Edit the cron tab. We recommend selecting the nano editor if prompted.

sudo crontab -e

Paste in the following to the bottom of the file.

15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.

Save file and exit. (Press CTRL + X, press Y and then press ENTER)

Cron will now run every day and renew cert if needed.

Let me know in the comments if this helped. Follow me @DevAnswers or buy me a beer 🍺

Feedback

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

4 replies

I’m stuck on “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.”

Ubuntu 17.10. Any ideas?

Do you have Cloudflare enabled for that domain? If so, log in to Cloudflare, go to Crypto and make sure SSL is set to Full (Strict)