This tutorial will show you how to set up a TLS/SSL certificate for Let's Encrypt on an Ubuntu 16.04 server running Apache as a web server.
The SSL certificate is used in the web server to encrypt the traffic between the server and the client, providing additional security for users accessing the application. Let's Encrypt provides an easy way to obtain and install trusted certificates for free.
To complete this guide, you need:
ServerName through the virtual host. If you have a domain name, the easiest way to protect your website is to use Tencent Cloud SSL Certificate Service , It provides free trusted certificates. [Tencent Cloud SSL Certificate Installation Operation Guide] (https://cloud.tencent.com/document/product/400/6814?from=10680) to set. If you don't have a domain name, it is recommended that you go here first register a domain name. If you only use this configuration for testing or personal use, you can use a self-signed certificate without buying a domain name. The self-signed certificate provides the same type of encryption, but there is no domain name verification announcement. For the self-signed certificate, you can refer to the two articles Create a self-signed SSL certificate for Apache and How to create a self-signed SSL certificate for Nginx.When you are ready to move on, log in to your server with a sudo-enabled account.
Let us obtain the encryption certificate through the client software running on the server. The official client is called Certbot, and its developers maintain their own Ubuntu software repository using the latest version. Because Certbot is under such active development, it is worthwhile to use this repository by default to install newer versions than those provided by Ubuntu.
First, add the repository:
sudo add-apt-repository ppa:certbot/certbot
You need to press ENTER to accept. Then, update the package list to get package information for the new repository:
sudo apt-get update
Finally, install Certbot from the new repository using apt-get:
sudo apt-get install python-certbot-apache
The certbotLet's Encrypt client is ready to use.
Using Certbot to generate SSL certificates for Apache is very simple. The client will automatically obtain and install a new SSL certificate, which is valid for the domain provided as a parameter.
To perform an interactive installation and obtain a certificate covering only a single domain, run the following certbot command, where example.com is your domain:
sudo certbot --apache -d example.com
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the parameter list will be the basic domain used by Let's Encrypt to create the certificate, so we recommend that you make the naked top-level domain the first in the list, followed by any other subdomains or aliases:
sudo certbot --apache -d example.com -d www.example.com
For this example, the Basic domain will be example.com.
If you have multiple virtual hosts, you should run certbot once for each virtual host to generate a new certificate for each virtual host. You can distribute multiple domains and subdomains across virtual hosts in any way.
Once the dependencies are installed, you will be provided with a step-by-step guide for custom certificate options. You will be asked to provide an email address for lost key recovery and notification. You can choose to enable http and https access, or force all redirect requests to https. Unless you specifically need unencrypted http traffic, it is generally safest to request https.
After the installation is complete, you should be able to find the generated certificate file in /etc/letsencrypt/live. You can verify the status of the SSL certificate using the following link (don’t forget to replace example.com with your basic domain):
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
You should now be able to access your website using the https prefix.
Let's Encrypt's certificate can only last for 90 days. However, the certbot package we installed solves this problem for us by running certbot renew and using the systemd timer to run twice a day. On non-system distributions, this feature is provided by the cron script placed in /etc/cron.d. This task runs twice a day and will renew any certificates within 30 days of expiration.
To test the update process, you can perform the following operations with certbot:
sudo certbot renew --dry-run
If you do not see any errors, then you have completed the setup. If necessary, Certbot will renew your certificate and reload Apache to pick up the changes. If the automatic renewal process fails, our encryption will send a message to the email you specify and warn you when your certificate is about to expire.
In this guide, we learned how to install a free SSL certificate from Let's Encrypt to protect websites hosted with Apache. We recommend that you check the official Let's Encrypt Blog from time to time for important updates, and read Certbot Documentation for more detailed information about the Certbot client.
For more Ubuntu tutorials, please go to [Tencent Cloud + Community] (https://cloud.tencent.com/developer?from=10680) to learn more.
Reference: "How To Secure Apache with Let's Encrypt on Ubuntu 16.04"
Recommended Posts