How to Secure Apache with Let's Encrypt on Ubuntu
This tutorial will show you how to secure your Apache web server with free SSL/TLS certificates from Let's Encrypt, enabling HTTPS for your websites.
Prerequisites
- An Ubuntu server with Apache installed
- A registered domain name pointing to your server's public IP
- Apache configured with a virtual host for your domain
- Access to your server's command line with sudo privileges
Step 1 — Installing Certbot
First, update your package list:
sudo apt updateInstall Certbot and its Apache plugin:
sudo apt install certbot python3-certbot-apacheStep 2 — Checking your Apache Virtual Host Configuration
Ensure your Apache virtual host is properly configured:
sudo nano /etc/apache2/sites-available/your_domain.confYour configuration should look similar to this:
<VirtualHost *:80>
ServerAdmin webmaster@your_domain
ServerName your_domain
ServerAlias www.your_domain
DocumentRoot /var/www/your_domain
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>Important: Make sure the ServerName and ServerAlias directives are set correctly with your domain name.
Step 3 — Allowing HTTPS Through the Firewall
If you're using the UFW firewall, allow HTTPS traffic:
sudo ufw status
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'Step 4 — Obtaining an SSL Certificate
Run Certbot with the Apache plugin:
sudo certbot --apache -d your_domain -d www.your_domainNote: Replace 'your_domain' with your actual domain name. Include any additional subdomains with extra -d parameters.
During the process, you'll be asked:
- To provide an email address for important notifications
- To agree to the terms of service
- Whether to share your email address with EFF
- Whether to redirect HTTP traffic to HTTPS
Step 5 — Verifying Certbot Auto-Renewal
Let's Encrypt certificates are valid for 90 days. Certbot automatically installs a renewal timer. Verify it with:
sudo systemctl status certbot.timerTest the automatic renewal process:
sudo certbot renew --dry-runOptional: Enhancing Security Settings
Edit your SSL configuration:
sudo nano /etc/apache2/sites-available/your_domain-le-ssl.confAdd these security headers inside the VirtualHost block:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniffEnable the headers module:
sudo a2enmod headers
sudo systemctl restart apache2Troubleshooting Common Issues
Certificate Not Being Issued
- Verify domain DNS settings point to your server
- Ensure ports 80 and 443 are open
- Check Apache virtual host configuration
sudo apache2ctl -t
sudo certbot certificatesCertificate Renewal Failures
Check the Certbot logs:
sudo journalctl -u certbotApache Not Starting After SSL Configuration
sudo apache2ctl configtest
sudo journalctl -u apache2.serviceMaintenance and Best Practices
Regular Checks
- Monitor certificate expiration dates:
sudo certbot certificates - Test your SSL configuration:
curl -I https://your_domain - Verify renewal service is active:
sudo systemctl status certbot.timer
Managing Multiple Domains
To add additional domains:
sudo certbot --apache -d additional_domain.com -d www.additional_domain.comTo remove domains:
sudo certbot delete --cert-name your_domainConclusion
Your Apache server is now secured with Let's Encrypt SSL/TLS certificates. Remember to:
- Keep your system updated
- Monitor certificate renewals
- Regularly check SSL configuration for security best practices
- Watch for notification emails from Let's Encrypt
- Check official documentation for any changes.
Additional Resources
- Let's Encrypt documentation for troubleshooting
- Apache SSL documentation for advanced configuration
- SSL configuration testing tools