SSL certificates are notoriously confusing to set up on Linux which is why so many people avoid setting up HTTPS on their websites. Thankfully, the service Let’s Encrypt is attempting to change this by making setting up SSL on Linux a simple process that nearly anyone can understand. You can use Let’s Encrypt with Apache on Ubuntu Server to easily set up SSL certificates.
Let’s Encrypt is free forever on Linux. You won’t have to pay for anything to use it. The only issue is that the certificates don’t last forever. Instead, it requires users to refresh and renew their SSL cert every 90 days.
The Let’s Encrypt software has support for both major web engines on the Linux platform (Apache and Nginx). In this tutorial, we’ll be going over how to obtain and set up a Let’s Encrypt SSL certificate for use Let’s Encrypt with Apache on Ubuntu Server.
Note: Let’s Encrypt supports all Linux operating systems. If you do not use Ubuntu server, click here and learn how you can set it up on an alternative server operating system.
Let’s Encrypt is a mostly automatic process on Linux thanks to the Certbot tool. With it, you’ll be able to obtain SSL certification quickly on your Ubuntu Server.
Certbot doesn’t come with Ubuntu server. So, in order to use it, you must activate a third-party software repository (PPA) and install it that way. However, before attempting to add the new PPA, keep in mind: not every version of Ubuntu server has PPA support out of the box. To access PPAs on Ubuntu, you must install software-properties-common.
sudo apt install software-properties-common
Then, when the “software-properties-common” package is up and running, enter the command below to enable the Certbot repo on Ubuntu.
sudo add-apt-repository ppa:certbot/certbot
After running the add-apt-repository command, the PPA should be working. Next, update Ubuntu server’s software sources with the update command, so that the Certbot PPA is accessible.
sudo apt update
With Ubuntu’s software sources up to date, install the Certbot package using Apt.
sudo apt install python-certbot-apache
Enable HTTPS traffic
Let’s Encrypt lets users quickly set up an SSL certificate on Linux so that users do not have to deal with doing everything manually. One of the things that must be done to use this service is to enable HTTPS traffic for Apache 2 on the server.
To enable HTTPS traffic in the Apache web-server, ensure that the Ubuntu Firewall is up and running. Then, use the UFW commands below to allow HTTPS traffic.
Note: Firewall not running? Do sudo ufw enable, then reboot.
sudo ufw allow 'Apache Full'
If the UFW command is successful, HTTPS should be activated. You can check the status of the Firewall to ensure that it is working by running the ufw status command.
sudo ufw status
Generate SSL certificate
Ubuntu server is set up to use SSL, and Certbot is installed. At this point, we can use the Certbot program to generate a brand-new SSL certificate for the Apache web server.
To generate a new SSL certificate with Certbot, run certbot with the apache command-line switch. Keep in mind that this certificate will only work if the domain specified in the command matches your website’s configuration file in /etc/apache2/sites-available/.
Note: be sure to change the mywebsite.com and www.mywebsite.com in the Certbot command to your site’s domain name.
sudo certbot --apache -d mywebsite.com -d www.mywebsite.com
Assuming the Certbot command is successful, you’ll see a text-prompt asking you about your Apache settings. Read through the prompt and select the choice that best suits your needs. When you’ve moved on from the prompt, your SSL certificate is ready to go!
Renewing your SSL certificate
Let’s Encrypt’s SSL certificates expire after 90 days, so if you plan to use it for your website, renewal is required. Luckily, the Certbot program comes with an automatic Cron job that does it for you.
The automatic renewal Cron script is located in /etc/cron.d/ on your server, and you can view it by doing
Thanks to the automatic renewal script for Let’s Encrypt, your Apache server should always have an SSL certificate. However, problems can sometimes occur so it’s a good idea to know how to renew an SSL certificate manually.
To renew your SSL certificate with Apache on Ubuntu server, open up a terminal window, SSH in and follow the steps below.
Step 1: Run the certbot renew command with the dry-run command-switch. Doing this will allow you to do a practice renewal, which will let you isolate issues, and ensure that the process works.
sudo certbot renew --dry-run
Step 2: Assuming the “dry run” went well, it’s safe to run Certbot’s renewal command for real. In the terminal, run certbot renew, but without the “dry-run” switch.
sudo certbot renew
If the renew command works successfully, your SSL certificate will once again be active.