Let’s Encrypt for Apache on Ubuntu (14.04 or above)

Last time we covered Purchase certificate from traditional CA.
Now with Let’s Encrypt, we can request free certificate, and install/renew them automagically.

Updated Aug 2018: Install from PPA is now required as version in Ubuntu repository no longer works

1. Install letsencrypt package with Apache plugin

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

2. Request certificate and install it automagically

# Apply a single domain
certbot --apache -d example.com

# Apply domain and it's sub-domain
certbot --apache -d example.com -d www.example.com

3. Add auto-renew to crontab to run once every month

Certificates issues by Let’s Encrypt are valid for 90 days and open to renew 30 days before expire.

Let’s run renew command every-day

crontab -e, add the following line

0 0 * * * certbot renew

Extra 1. If your are curious what changes applied to Apache config:

certbot config_changes

Extra 2. Test with SSLLabs, you should able to get an A grade:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

Extra 3. Enable HSTS (If your application support HTTPS only):

a2enmod headers

# Add line to /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000;"

With HSTS enabled, you should able to get A+ grade with SSLLabs

2 Replies to “Let’s Encrypt for Apache on Ubuntu (14.04 or above)”

  1. Hi I am getting below error after sudo apt-get install python-certbot-apache.

    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Unable to locate package python-certbot-apache

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.