Install Certbot on Ubuntu 18.04 & 16.04 to Secure Apache Server with Let’s Encrypt

0
243
Install Certbot on Ubuntu 18.04 and Secure Apache Server with Let's Encrypt

Let’s Encrypt is a Certificate Authority (CA) that provides free SSL certificates. Which helps you enable HTTPS on your web servers or websites. These certificates can be used on the production environments or on test environments too. Let’s Encrypt has simplified the process by providing the client software, Certbot, as all the certificates that are issued by Let’s Encrypt expire after 3 months what Certbot does is it automates the renewal process and the process for getting the certificates for your server.

For now, all the steps in the process for installing the Let’s Encrypt SSL certificate on Apache and Nginx are completely automated.

In the guide, we will install Certbot on Ubuntu and set up the SSL certificates for Apache server and configure the setting for Certbot so that it will automatically renew the certificate before its expiry date.

If you don’t have the server root access and you want to set up Let’s Encrypt SSL certificates on your site you can follow the guide over here.

We are going to set up the SSL configuration on Apache virtual host instead of the default configuration file if you don’t know about Apache Virtual Hosts you can read this article where we have covered the complete in-depth process of creating Virtual Hosts.

Getting things Ready:

So in order to get started, we need the following things:

  • Ubuntu Server 18.04 with sudo user access.
  • Virtual Hosts configured on your Apache web server or you can use a valid Registered domain that is on your VPS server.
  • In this case, I am going to use my Virtual Host mysite1.com

Install Certbot on Ubuntu:

There are two different steps that you can take in order to install Certbot Let’s Encrypt client on your server one is manually downloading the Certbot binary and running that the other one is using the Repository and installing from there we will take a look at both.

Downloading the Certbot Binary:

Download certbot-auto Let’s Encrypt client and save it to /usr/sbin/ directory. Use the following command.

$ sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto
$ sudo chmod a+x /usr/sbin/certbot-auto

Installing Certbot using Repository:

The default Certbot packages maintained by Ubuntu repository are not maintained and are not up to date fortunately Certbot teams has maintained there on their repository that we are going to add to your system.

First, we will add the repository to our system:

$ sudo add-apt-repository ppa:certbot/certbot

Just press enter if you are asked to accept, the next step is to install Certbot on our server:

$ sudo apt install python-certbot-apache

Certbot is not installed and ready to be used.

Setting Firewall Rules:

The next step in the process is to all HTTPS traffic through the Firewall Ubuntu comes with the default firewall ufw enabled, we just need to change some settings to allow the HTTPS traffic through. Apache registers a few default settings within ufw by default upon installation.

TO check the current configuration of ufw type the following command:

$ sudo ufw status

It will list all the applications that are allowed to send out and allow connections through the firewall.

To allow all Apache traffic through type the following commands in the terminal:

$ sudo ufw allow 'Apache Full'
$ sudo ufw delete allow 'Apache'

You can again check the status of the firewall to check if your rules are successfully added.

Getting SSL Certificate:

Now, this step is going to be different depending on how you installed Certbot on your server if you installed from Let’s Encrypt repository then you should follow the following steps.

To use Certbot and get a certificate for your domain type the following command:

$ sudo certbot --apache -d mysite1.com -d www.mysite1.com

This will run the Let’s Encrypt SSL client Certbot and use the plugin for Apache web server and we provide the domain we want the certificate to be valid for.

After that, you will be asked a few questions like email address and to agree to the terms and conditions. After you provided all the information certbot will send the request to Let’s Encrypt Servers this will run a verification check to verify that you are the actual owner of the site you are requesting a certificate for.

After all that is successful, you will be asked to redirect your traffic to HTTPS or to keep the same settings.

This is because if your site is not working correctly with HTTPS you can keep it on HTTP the choice is yours. Select any of the options you want to use once that is done your SSL Certificates will be generated and stored in /etc/letsencrypt/live/mysite1.com/ you can access them later if you needed to.

After everything is done correctly you should be able to browse your website with https:// and the browser should show that SSL is correctly configured.

The last step is to check the auto-renewal of the certificates.

Certbot Auto-Renewal Process:

As I have already mentioned that the certificates provided by Let’s Encrypt are only valid for 3 months or 90 days. What Certbot does is automate the renewal process. This is done by the help of Cron jobs when installing Certbot it automatically adds the script to /etc/cron.d file. This will run certbot twice every day and will automatically renew those certificated that are about to expire.

To test if its working run the following command:

$ sudo certbot renew --dry-run

If you don’t see any errors then everything is working correctly. If in any case your certificate is not automatically renewed then you will get an email from Let’s Encrypt that your SSL certificate is about to expire and then you can manually renew the certificate.

For Certbot Binary Install:

Now if you installed Certbot using the manual method you can follow these steps:

To generate the SSL certificate use the following command:

$ sudo certbot-auto certonly --standalone -d mysite1.com  -d www.mysite1.com

The process is going to be same it will as for your email address for sending email alerts and also few other questions after that SSL certificated will be created.

You can check your SSL certificates by using this:

cd /etc/letsencrypt/live/mysite1.com
ls

Configuring SSL on VirtualHost:

After the SSL certificate has been generated you have to edit the Apache virtual host configuration file and add the following entries.

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Cron Job for Auto Renewal:

Now we have to add the cron job on our serverĀ  to check for the certificates that are about to expire and then automatically renew them:

$ sudo nano /etc/crontab
$ 0 2 * * * sudo /usr/sbin/certbot-auto -q renew

Conclusion:

So in the article, we covered installing Certbot on Ubuntu and setting up the SSL certificate and automate the certificate renewal process for more reference you can check out the documentation for Certbot if you liked the guide do like and comment down below and share with your fellows.