Configuring Let’s Encrypt SSL Cert on Apache and Ubuntu 18.04

Configuring Let’s Encrypt SSL Cert for Apache on Ubuntu 18.04

Last updated on

Let’s Encrypt is a certificate authority that provides free SSL certificates that are just as secure as current paid certificates. In this guide we will configure an SSL certificate for Apache on Ubuntu 18.04.

Prerequisites

You should be using a non-root user with sudo privileges as explained in Ubuntu 18.04 Initial Server Setup.

You should also have Apache already installed and serving web pages before continuing with this guide. Please see Installing Apache on Ubuntu 18.04.

1. Install Let’s Encrypt client (Certbot)

Add certbot to the repository. This is the Let’s Encrypt client.

sudo add-apt-repository ppa:certbot/certbot

Press ENTER if prompted.

Now update package list and install certbot.

sudo apt update
sudo apt install python-certbot-apache

Press y and ENTER when prompted to continue.

2. Get an SSL Certificate

We will now obtain a cert for our test domain example.com. If you want to use the www prefix for your domain, you will need to obtain a cert for that as well. Even if you’re only redirecting www.example.com to example.com using .htaccess for example, you will still need a separate cert for the www sub domain. Use -d to add even more domains or sub domains if you wish.

sudo certbot --apache -d example.com -d www.example.com
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Enter an email address where you can be contacted in case of urgent renewal and security notices.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

Press a and ENTER to agree to the Terms of Service.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

Press n and ENTER to not share your email address with EFF.

You will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.

A successful install will look be similar to below.

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/example.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate for example.com to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/example.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-available/example.com.conf to ssl vhost in /etc/apache2/sites-available/example.com-le-ssl.conf

3. Test SSL

You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.

A successful test should receive an A rating.

4. Auto Renewal

As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.

To test that this renewal process is working correctly, you can run:

sudo certbot renew --dry-run

Let me know in the comments if this helped. Follow me @DevAnswers or read more.

1 Star2 Stars3 Stars4 Stars5 Stars 5.00 (9 votes)

Feedback

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

15 replies

I entered the following: sudo certbot --apache -d devtest1.com -d www.devtest1.com -d www.example.com -i entered my email. i agreed to the terms and conditions. I said no to EFF. But, then I couldn't obtain any certificate: Obtaining a new certificate Performing the following challenges: http-01 challenge for devtest1.com http-01 challenge for http://www.devtest1.com http-01 challenge for http://www.example.com

Should be

sudo certbot --apache -d example.com -d www.example.com

Where example.com is your own domain.

thanks for the reply. I went back and tried that. Got this for both domains:

Failed authorization procedure...
IMPORTANT NOTES:
-The following errors were reported by the server:
Domain: www.pilbemaps.com
Type: None
Details: DNS problem: NXDOMAIN looking up A for www.pilbeamaps.com

I started over from the top of this page. Same thing. I did a:

sudo apt autoremove

then started from the top again. Same error.

The guides @DevAnswers are the best I have ever seen. I have been able to get my site up and running and secure thanks to this site. Cannot prase yoy guys enough. Thanks. By the way I was prompted for my email.

Brilliant, thanks for that. So much easier than the way I have done it before.

For me, it didn’t ask me for my e-mail address. Maybe they just send it to the “domain”? I simply got this message.

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/**********/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/**********/privkey.pem
Your cert will expire on 2018-12-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”

Yes, they’ve improved certbot a lot over the past year. Much easier to set up now.

I’m not sure why it’s not asking for email though, perhaps they changed it, or if you’ve run certbot before it might already have your email.

Excellent Article. I have one Query. I have setup two domains on singledigitalocean droplet. I installed Let’s encypt SSL on both domains. Now https://Domain1.com working fine but https://Domain2.com showing content of https://Domain1.com Both are working fine on Http version but I’m getting above issue when I open on Https. After spending a whole day on google, I found that there is some problem with configuration in 000-default.conf file but Don’t know what’s the proper configuration.
Any help would be save my another day.
Thank you

It could be many things and very difficult to know without looking at your setup, but most probably your virtual hosts aren’t configured properly.

All I can suggest is that you start from scratch and follow my guide Installing Apache on Ubuntu 18.04 with Multiple Domains, then come back to this guide and run Certbot again to obtain your certs. Certbot should find your multiple domains and configure your Apache virtual hosts for you.

Hmmm Pitty! 🙁 I got an error on the website.

Assessment failed: Unable to connect to the server

Excellent tutorial. Concise and to the point.

Thank you muchly.