Let’s Encrypt for Apache on Ubuntu (14.04 or above)

Last time we covered Purchase certificate from traditional CA.
Now with Let’s Encrypt, we can request free certificate, and install/renew them automagically.

Updated Aug 2018: Install from PPA is now required as version in Ubuntu repository no longer works

1. Install letsencrypt package with Apache plugin

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

2. Request certificate and install it automagically

# Apply a single domain
certbot --apache -d example.com

# Apply domain and it's sub-domain
certbot --apache -d example.com -d www.example.com

3. Add auto-renew to crontab to run once every month

Certificates issues by Let’s Encrypt are valid for 90 days and open to renew 30 days before expire.

Let’s run renew command every-day

crontab -e, add the following line

0 0 * * * certbot renew

Extra 1. If your are curious what changes applied to Apache config:

certbot config_changes

Extra 2. Test with SSLLabs, you should able to get an A grade:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

Extra 3. Enable HSTS (If your application support HTTPS only):

a2enmod headers

# Add line to /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000;"

With HSTS enabled, you should able to get A+ grade with SSLLabs

One Reply to “Let’s Encrypt for Apache on Ubuntu (14.04 or above)”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.