This article explains how to enable Apache Web Server on Ubuntu Linux for secured SSL connections with Let's Encrypt certificates.
Be aware that this description is specifically for our AIRIX.NET infrastructure and AIRIX.NET internal. It is not suitable for absolute beginners.
Prerequisites
Starting point is an installed Apache Web Server running on Ubuntu Linux and a HTTP website already online (with an open port 80). To fulfil this prerequisite you may want to refer to the article Install Apache Web Server.
As always, you need Secure Shell (SSH) access to the server and basic Linux command line knowledge.
Introduction
Let’s Encrypt is a Certificate Authority (CA) that facilitates obtaining and installing free TLS/SSL certificates to enable encrypted HTTPS on web servers.
In addition, it streamlines the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
In this guide the focus is on Apache Web Server on Ubuntu Linux and we use Certbot to obtain a free SSL certificate and with automated renewals.
Installing Certbot
Login to the Ubuntu console and enter:
sudo apt update
sudo apt install certbot python3-certbot-apache
With this, Certbot is installed on the Ubuntu server.
Checking Apache Virtual Host Configuration
Allow HTTPS traffic in Firewall
This step depends on the server setup. If the Apache Web Server is running on an Amazon Lightsail based Cloud Instance, create the Firewall rule in the Lightsail console. You find this under the Instance entry, Networking tab under Firewall section and you may want to enable for IPv4 and IPv6.
Add the pre-defined HTTPS rule for port 443.
If you are not on Amazon Lightsail and have the UFW firewall enabled, adjust the settings to allow HTTPS traffic in UFW.
Obtain an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the configuration whenever necessary. To use this plugin, run the following:
sudo certbot --apache
This script will prompt you to answer a series of questions in order to configure your SSL certificate. First, it will ask you for a valid email address. This email will be used for renewal notifications and security notices. After providing your email address, press ENTER to proceed to the next step.
You will then be prompted to confirm if you agree to Let’s Encrypt terms of service. You need to confirm, otherwise a certificate won't be issued.
Next, you’ll be asked if you would like to share your email with the Electronic Frontier Foundation to receive news and other information. If you do want to subscribe to their content, enter Y and press ENTER, of not enter N.
The next step will prompt you to inform Certbot of which domains you’d like to activate HTTPS for. The listed domain names are automatically obtained from your Apache virtual host configuration, so it’s important to make sure you have the correct ServerName and ServerAlias settings configured in your virtual host. If you’d like to enable HTTPS for all listed domain names (recommended), you can leave the prompt blank and press ENTER to proceed. Otherwise, select the domains you want to enable HTTPS for by listing each appropriate number, separated by commas and/ or spaces, then press ENTER.
After this step, Certbot’s configuration is finished and the certificate should have been obtained ("Successfully received certificate"). You will also see the expiry date of the new certificates and the paths where the Certificate and the Key has been saved:
Certificate is saved at: /etc/letsencrypt/live/yourdomain.tld/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yourdomain.tld/privkey.pem
Based on the initial Virtual Host configuration file for your domain, the installer creates a separate Virtual Host configuration file for SSL: yourdomain-le-ssl.conf.
When reloading your web site in the browser using http:// it should now show the properly secured result.
Conclusion
With that you have your website running in secured mode! Congratulations!
