Let’s start with the installation – it is a simple installation and will not take long.
Prerequisites
For the purposes of this tutorial, we will use an Ubuntu 20.04 VPS.
User with sudo privileges or full SSH root access is required. All of our VPSes come with root access.
A valid domain name pointed to your server’s IP address. In this tutorial, we will use domain.com as an example.
1. Install Certbot
As mentioned earlier, we will be using Certbot so that we can get a free SSL certificate from Let’s Encrypt. To install this useful tool, we need to enable the universe repository:
sudo apt install software-properties-common sudo add-repository universe sudo apt update
Run this command on the command line on the machine to install Certbot.
sudo apt install certbot python3-certbot-apache
2. Generate a Free Let’s Encrypt SSL Certificate
There are many ways to obtain an SSL certificate with Certbot. We will use the Apache plugin, which will take care of reconfiguring Apache’s Virtual Host and will reload the new configuration for us. You can run the following command to use the plugin:
sudo certbot --apache
Using this script, you need to answer a series of questions and provide an email address. In the first step, you need to type a valid email address. The email address is required for notifications and security notices regarding your website’s certificate:
Output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected]
The next step is to confirm that you agree to the Let’s Encrypt terms of service. If you want to confirm, just type A and then press [ENTER]:
Output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
If you want to share the provided email address with the EFF (Electronic Frontier Foundation) to receive news and other information, you can type Y. If you do not want to receive this type of email, you can type N and submit your answer by typing [ENTER].
Output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
Now you need to select the domain you would like to activate HTTPS for. The domains and subdomains listed on your command prompt are automatically obtained from your Apache virtual host configuration. Type the numbers separated by commas and/or spaces, or if you’d like to enable HTTPS for all of the domains or subdomains, you can leave the prompt blank. Either way, you then press [ENTER] to proceed to the next step.
Output: Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: domain.com 2: www.domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
The output will be similar to this:
Output: Obtaining a new certificate Performing the following challenges: http-01 challenge for domain.com http-01 challenge for www.domain.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/domain.com-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/domain.com-le-ssl.conf
Certbot provides HTTPS redirection as an option that you can enable. In this step, the script will prompt you to select if you want the entire HTTP traffic to be redirected to HTTPS or to keep the current configuration. Select 1 if you do not want redirection or 2 to enable redirection, then press [ENTER].
Output: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Great job. Your SSL certificate is now installed and loaded in the Apache configuration. You will see output similar to the following:
Output: Redirecting vhost in /etc/apache2/sites-enabled/domain.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://domain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2021-09-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew <strong>all</strong> of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
To verify that your new SSL certificate is set up correctly, visit https://domain.com/ in your web browser and check for the green lock icon in the URL bar. You can also use an external website or tools to check if your SSL certificate is installed properly.
3. Verifying Certbot Auto-Renewal
SSL certificates provided by Let’s Encrypt are valid only for 90 days. The Certbot we have installed will set a cronjob that will take care of renewing any SSL certificate that is within thirty days of expiration. To check the status of this service, you can execute the command:
sudo systemctl status certbot.timer
Output: ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Thu 2021-06-11 11:33:00 UTC; 1h 37min ago Trigger: Thu 2021-06-11 15:52:01 UTC; 2h 41min left Triggers: ● certbot.service
or you can list all of the timers with:
sudo systemctl list-timers
You can test automatic renewal for your certificates by executing this command:
sudo certbot renew --dry-run
and the command to renew the SSL certificate can be found in one of the following locations:
/etc/crontab/ /etc/cron.*/*
Congratulations! You have successfully installed a free Let’s Encrypt SSL certificate for your domain.
Src::https://www.rosehosting.com/blog/how-to-install-lets-encrypt-on-ubuntu-20-04-with-apache/
