Last time we covered Purchase certificate from traditional CA.
Now with Let’s Encrypt, we can request free certificate, and install/renew them automagically.
Updated Aug 2018: Install from PPA is now required as version in Ubuntu repository no longer works
1. Install letsencrypt package with Apache plugin
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache
2. Request certificate and install it automagically
# Apply a single domain certbot --apache -d example.com # Apply domain and it's sub-domain certbot --apache -d example.com -d www.example.com
3. Add auto-renew to crontab to run once every month
Certificates issues by Let’s Encrypt are valid for 90 days and open to renew 30 days before expire.
Let’s run renew command every-day
crontab -e, add the following line
0 0 * * * certbot renew
Extra 1. If your are curious what changes applied to Apache config:
Extra 2. Test with SSLLabs, you should able to get an A grade:
Extra 3. Enable HSTS (If your application support HTTPS only):
a2enmod headers # Add line to /etc/letsencrypt/options-ssl-apache.conf Header always set Strict-Transport-Security "max-age=31536000;"
With HSTS enabled, you should able to get A+ grade with SSLLabs