Protect Apache with Let's Encrypt on Ubuntu 20.04
Let's Encrypt is a free, automatic, and open certificate provider. It is developed by the Internet Security Research Group (ISRG) that provides free [SSL certificate] (https://cloud.tencent.com/product/symantecssl?from=10680).
The certificate issued by Let's Encrypt is trusted by most browsers and is valid for 90 days from the date of issuance.
This guide explains how to install a free Let's Encrypt SSl certificate on Ubuntu 20.04 running the Apache web server. We also want to show how to configure Apache to use SSL certificates and enable HTTP/2.
1. Prerequisites##
Please ensure the following prerequisites before proceeding to the next steps:
- Log in as root or another user with sudo privileges
- The domain name you want to obtain the SSL certificate must point to the public IP of your server. We use
example.comhere. - Apache is already installed on your server.
Two, install Certbot
We use certbot to obtain the certificate. It is a command line tool used to automate the task of obtaining and refreshing Let's Encrypt SSL certificates.
The certbot package is included in the default Ubuntu software source. Use the following command to upgrade the package list and install cerbot:
sudo apt update
sudo apt install certbot
Three, generate a powerful Dh (Diffie-Hellman) group##
Diffie–Hellman key (DH) is a scheme for securely exchanging passwords in insecure communication channels. Generate a 2048-bit DH factor to enhance safety:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
You can increase the size to 4096 bits, but depending on the system entropy, the generation process may take more than 30 minutes.
Fourth, obtain a Let's Encrypt SSL certificate##
To obtain an SSL certificate for a domain name, we must first use the WeBroot plugin to create a temporary file to verify the domain name in the ${webroot-path}/.well-known/acme-challenge directory. The Let's Encrypt server requests this temporary file to verify the domain name. The Let's Encrypt server sends HTTP requests to temporary files to verify that the server pointed to by the domain name is the server that cerbot runs.
To make the steps easier, we put all HTTP requests of .well-known/acme-challenge into a simple folder, /var/lib/letsencrypt.
Run the following command to create the folder and make it writable by the Apache server.
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
To avoid duplication of code and make the configuration maintainable, create the following two configuration code snippets:
/etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/"/var/lib/letsencrypt/.well-known/acme-challenge/"<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
< /Directory>
/etc/apache2/conf-available/ssl-params.conf
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Header always set Strict-Transport-Security "max-age=63072000"
The above code snippet uses the encryption configuration recommended by Mozilla. It enables OCSP, HTTP Strict Transport Security (HSTS), Dh key, and mandatory addition of several HTTP headers focusing on security.
Before enabling the configuration file, make sure that mod_ssl and mod_headers are enabled:
sudo a2enmod ssl
sudo a2enmod headers
Next, use the following command to enable the SSL configuration file:
sudo a2enconf letsencrypt
sudo a2enconf ssl-params
Enable the HTTP/2 module, it will make your website faster and more robust.
sudo a2enmod http2
Reload the Apache configuration to make the changes take effect:
sudo systemctl reload apache2
Now we can run the Certbot tool with the webroot plugin to obtain the SSL certificate file:
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/-d example.com -d www.example.com
If the SSL certificate is successfully obtained, certbot will print the following information:
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-10-06. To obtain a newor tweaked
version ofthis certificate in the future, simply run certbot
again. To non-interactively renew *all*of your certificates, run
" certbot renew"- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup ofthis folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups ofthis folder is ideal.- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now that you have the certificate file, edit the virtual host directory of your domain name as follows: /etc/apache2/sites-available/example.com.conf
< VirtualHost *:80>
ServerName mail.digital.mk
Redirect permanent / https://mail.digital.mk/</VirtualHost><VirtualHost *:443>
ServerName mail.digital.mk
Protocols h2 http:/1.1<If "%{HTTP_HOST} == 'www.mail.digital.mk'">
Redirect permanent / https://mail.digital.mk/</If>
DocumentRoot /var/www/mail.digital.mk/public_html
ErrorLog ${APACHE_LOG_DIR}/mail.digital.mk-error.log
CustomLog ${APACHE_LOG_DIR}/mail.digital.mk-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mail.digital.mk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.digital.mk/privkey.pem
# Other Apache Configuration
< /VirtualHost>
The above configuration forces the use of HTTPS, and forces www to switch to the non-www version. You can modify the configuration file at will according to your needs.
Reload the Apache configuration to make the changes take effect:
sudo systemctl reload apache2
You can now open your website with https:// and you will see a green lock icon.
If you use SSL Labs Server Test to test your domain name, you will get an A+ level, like the following:
5. Automatic refresh of Let's Encrypt SSL certificate##
Let's Encrypt's certificate is only valid for 90 days. To automatically refresh the certificate before it expires, we need to create a cronjob, which will run twice a day and refresh the certificate about 30 days before the certificate expires.
Once the certificate is refreshed, we need to reload the Apache service. Append --renew-hook "systemctl reload apache2" to the /etc/cron.d/certbot file, which looks like the following:
Run the following command to create a new cronjob, which will refresh the certificate and restart Apache:
0* /12*** root test -x /usr/bin/certbot -a \!-d /run/systemd/system && perl -e 'sleep int(rand(3600))'&& certbot -q renew --renew-hook "systemctl reload apache2"
To test the refresh process, use the certbot command with the --dry-run option:
sudo certbot renew --dry-run
If there is no error message, it means that the refresh process was successful.
Six, summary##
In this guide, we discussed how to use Let's Encrypt client certbot on Ubuntu 20.04 to obtain an SSL certificate for a domain name.
We have shown you how to configure Apache to use SSL certificates and set up a cronjob to automatically refresh the certificates.
To learn more about Certbot script, browse: Certbot official document.
Recommended Posts