Installing a free SSL certificate (HTTPS) for Apache2 on Ubuntu 18.04

SSL certificate is one of the most crucial things you have to take care of to improve the security level of your website. And since the most popular browsers started marking websites without a certificate as insecure, its importance has increased yet. In this post, I’m going to show you how to obtain a free SSL certificate provided by the nonprofit Certificate Authority (CA) called Let’s Encrypt. On February 27, 2020, Let’s Encrypt announced they have issued a billionth certificate.

Free certificates are usually sufficient for private blogs or communication in the internal network e.g. in the microservices architecture. In other cases, I highly recommend buying a commercial certificate.

Installing Certbot

We are going to use Certbot to automatically obtain and install an SSL certificate. In order to install the latest version of Certbot, we have to add a repository as a source.

sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y python-certbot-apache
Update for Ubuntu 20.04

If you are using Ubuntu 20.04, you don’t have to add an external repository. Also, you have to use certbot plugins compatible with Python3. In order to install certbot and apache plugin just execute commands below instead of the ones above.

sudo apt-get update
sudo apt-get -y upgrade
sudo apt install -y certbot python3-certbot-apache

Obtaining a certificate

For the needs of this post, I assume you have already installed the Apache2 server and configured the virtual host. Example of the most basic virtual host configuration below:

<VirtualHost *:443>
    DocumentRoot /var/www/your_project

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

You also have to enable the Apache SSL module and restart your server.

sudo a2enmod ssl
sudo service apache2 restart

Since we have our virtual host prepared and Certbot installed, we can finally generate the certificate.

sudo certbot --apache -d

If you are generating a new certificate, not expanding the existing one, you are going to be asked for your email address and license agreement. Make sure that the email you provided is correct. It’s important for security reasons.

In the last step, you need to decide whether or not to redirect all HTTP requests to HTTPS.

Expanding existing certificate

When you need to create a new subdomain, you don’t have to generate a new certificate, you can just expand the existing one.

sudo certbot --apache -d -d

Then you will be asked if you want to expand your certificate. Just type “E” like on the screenshot below.

Renewing certificates

Certificates issued by Let’s Encrypt are valid for 90 days. The easiest way to keep your certificates valid is by adding below Cron job to your crontab. It is going to automatically execute required commands twice a month and will refresh all your certificates if their expiration date is shorter than 30 days. Make sure that your user has sufficient permissions or add this job to the root user’s crontab.

0 2 */15 * * certbot renew --renew-hook "service apache2 restart"


This tutorial bases on Ubuntu 18.04 however, it should also work on older versions like 16.04 and 14.04. In the future, I plan to create a similar post for the Nginx HTTP server.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *