Securing Apache with Let’s Encrypt on Ubuntu 20.04

Introduction

In this guide, we’ll walk through obtaining and installing a Let’s Encrypt SSL certificate for Apache on Ubuntu 20.04 and ensure automatic renewal for continuous protection.

Prerequisites

To proceed with this guide, you’ll require the following:

An Ubuntu 20.04 server is properly configured following the initial server setup instructions for Ubuntu 20.04. Ensure you have created a sudo-enabled user and configured a firewall.

A registered domain name. Throughout this tutorial, we’ll use “your_domain” as an example. You can obtain a domain name from various registrars like Namecheap or Freenom or choose your preferred domain registrar.

DNS records configured for your server:

• An A record that points the public IP address of your server to your_domain.
• An A record is pointing www.your_domain to your server’s public IP address.
• Apache is installed on your Ubuntu 20.04 server per the instructions outlined in “How To Install Apache on Ubuntu 20.04”. Ensure you have set up a virtual host file for your domain, such as /etc/apache2/sites-available/your_domain.conf.

Step-by-Step Guide

Step 1 — Installing Certbot:

The initial step in acquiring an SSL certificate from Let’s Encrypt involves installing the Certbot software on your server. This process utilizes the default Ubuntu package repositories.

Two packages are required: certbot and python3-certbot-apache. The latter acts as a plugin, seamlessly integrating Certbot with Apache. This integration facilitates the automation of certificate acquisition and HTTPS configuration within your web server, streamlining the process into a single command.

Step 2 — Reviewing Your Apache Virtual Host Configuration

To enable Certbot to obtain and configure SSL for your web server automatically, the correct virtual host must be located within your Apache configuration files. The ServerName and ServerAlias directives within your VirtualHost configuration block provide the necessary domain information.

You should configure a VirtualHost block for your domain in the file located at /etc/apache2/sites-available/your_domain.conf.

To verify, open the virtual host file associated with your domain in a text editor like Nano.

Check for the presence of the ServerName and ServerAlias lines. They should resemble the following:

If your ServerName and ServerAlias match this setup, you can exit the text editor and proceed to the next step. If you’re using nano, exit by pressing CTRL+X, then confirm by typing Y and pressing ENTER.

If your current virtual host configuration differs from the example provided, update it accordingly. After making the necessary changes, save the file and exit the editor. You can then verify your modifications by running the following command:

Verify that you receive a “Syntax OK” response. Review your virtual host file to fix any typos or missing components if an error occurs. Once the syntax of your configuration file is confirmed as correct, reload Apache to implement the changes:

With these adjustments, Certbot can identify the VirtualHost block and perform necessary updates accurately.

Step 3 — Configuring the Firewall for HTTPS Traffic

If you’ve activated the UFW firewall, as advised in our prerequisite guides, you must make adjustments to permit HTTPS traffic. When Apache is installed, it registers various UFW application profiles. We can utilize the “Apache Full” profile to enable HTTP and HTTPS traffic on your server.

To inspect the current traffic allowances on your server, execute:

If you’ve followed one of our Apache installation guides, your output should look similar to the example below, showing that only HTTP traffic on port 80 is currently allowed:

To additionally permit HTTPS traffic, enable the “Apache Full” profile and remove the redundant “Apache” profile:

Your status will now reflect the following changes:

With these adjustments, your server can execute Certbot and procure your SSL certificates.

Step 4 — Obtaining an SSL Certificate

Certbot offers various methods for acquiring SSL certificates through its plugins. The Apache plugin simplifies the process by automatically reconfiguring Apache and reloading the configuration as needed. To utilize this plugin, execute the following command:

This command starts a series of prompts to set up your SSL certificate. First, you must enter a valid email address for renewal notifications and security alerts. Once you’ve provided your email address, continue to the next step.

After submitting a valid email, press ENTER to proceed. Subsequently, you’ll be asked to agree to Let’s Encrypt’s terms of service. Confirm by selecting ‘A’ and then pressing ENTER:

Following this, you’ll be prompted to decide whether you wish to share your email with the Electronic Frontier Foundation (EFF) for receiving updates and news. Select ‘N’ if you prefer not to, or ‘Y’ if you do, and then press ENTER:

Next, Certbot will ask you to choose which domains you wish to secure with HTTPS. It automatically retrieves these domain names from your Apache virtual host configuration. Verify that the ServerName and ServerAlias settings in your virtual host are accurate. At the prompt, you can press ENTER to enable HTTPS for all the displayed domains, enter the numbers corresponding to specific domains, separated by commas or spaces, and then press ENTER.

The output will resemble the following:

Following that, you’ll encounter a prompt allowing you to decide whether to redirect HTTP traffic to HTTPS. This choice determines whether visitors accessing your site via unencrypted channels (HTTP) are automatically forwarded to the HTTPS version. Opt for option 2 to activate redirection, ensuring all traffic is securely encrypted, or select option 1 to maintain HTTP and HTTPS as distinct access methods for your website.

Upon completing these steps, the configuration process for Certbot is finalized. You’ll receive final remarks regarding your newly acquired certificate, including details on the location of the generated files. Instructions on testing your configuration using an external tool to assess your certificate’s authenticity will also be provided.

Conclusion

In summary, following the steps outlined in this guide, you have successfully secured your Apache web server with a Let’s Encrypt SSL certificate on Ubuntu 20.04. This setup ensures that the data exchanged between your server and its users remains confidential and intact, enhancing trust and boosting the security of your website.

Drop a query if you have any questions regarding Apache web server and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.