SSL certificate is one of the most crucial things you have to take care of to improve the security level of your website. And since the most popular browsers started marking websites without a certificate as insecure, its importance has increased yet. In this post, I’m going to show you how to obtain a free SSL certificate provided by the nonprofit Certificate Authority (CA) called Let’s Encrypt. On February 27, 2020, Let’s Encrypt announced they have issued a billionth certificate.
Free certificates are usually sufficient for private blogs or communication in the internal network e.g. in the microservices architecture. In other cases, I highly recommend buying a commercial certificate.
Installing Certbot
We are going to use Certbot to automatically obtain and install an SSL certificate. In order to install the latest version of Certbot, we have to add a repository as a source.
sudo add-apt-repository -y ppa:certbot/certbot sudo apt-get update sudo apt-get install -y python-certbot-apache
Update for Ubuntu 20.04
If you are using Ubuntu 20.04, you don’t have to add an external repository. Also, you have to use certbot plugins compatible with Python3. In order to install certbot and apache plugin just execute commands below instead of the ones above.
sudo apt-get update sudo apt-get -y upgrade sudo apt install -y certbot python3-certbot-apache
Obtaining a certificate
For the needs of this post, I assume you have already installed the Apache2 server and configured the virtual host. Example of the most basic virtual host configuration below:
<VirtualHost *:443>
ServerAdmin admin@your-domain.com
ServerName your-domain.com
DocumentRoot /var/www/your_project
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>You also have to enable the Apache SSL module and restart your server.
sudo a2enmod ssl sudo service apache2 restart
Since we have our virtual host prepared and Certbot installed, we can finally generate the certificate.
sudo certbot --apache -d your-domain.com
If you are generating a new certificate, not expanding the existing one, you are going to be asked for your email address and license agreement. Make sure that the email you provided is correct. It’s important for security reasons.
In the last step, you need to decide whether or not to redirect all HTTP requests to HTTPS.
Expanding existing certificate
When you need to create a new subdomain, you don’t have to generate a new certificate, you can just expand the existing one.
sudo certbot --apache -d your-domain.com -d subdomain.your-domain.com
Then you will be asked if you want to expand your certificate. Just type “E” like on the screenshot below.
Renewing certificates
Certificates issued by Let’s Encrypt are valid for 90 days. The easiest way to keep your certificates valid is by adding below Cron job to your crontab. It is going to automatically execute required commands twice a month and will refresh all your certificates if their expiration date is shorter than 30 days. Make sure that your user has sufficient permissions or add this job to the root user’s crontab.
0 2 */15 * * certbot renew --renew-hook "service apache2 restart"
Summary
This tutorial bases on Ubuntu 18.04 however, it should also work on older versions like 16.04 and 14.04. In the future, I plan to create a similar post for the Nginx HTTP server.
