Secure Apache with Let’s Encrypt on Ubuntu 20.04

s2 0

Let’s Encrypt is a certification body of the Internet Security Research Group (ISRG). It offers free SSL certificates through a fully automated process that eliminates the need to manually create, validate, install and renew certificates.

Certificates issued by Let’s Encrypt are valid for 90 days from the date of issue and are now classified as trustworthy by all common browsers.

This tutorial explains how to install a free Let’s Encrypt SSL certificate on Ubuntu 20.04 that is running Apache as a web server. We also show how to configure Apache to use the SSL certificate and enable HTTP / 2.

requirements

Make sure that the following prerequisites are met before proceeding:

  • Logged in as root or user with sudo permissions.
  • The domain for which you want to get the SSL certificate must point to your public server IP. We use example.com.
  • Apache installed.

Install Certbot

We use certbot to get the certificate. It is a command line tool that automates the tasks of getting and renewing Let’s Encrypt SSL certificates.

The certbot package is included in the standard Ubuntu repositories. Update the package list and install certbot using the following commands:

sudo apt updatesudo apt install certbot

Generate a strong Dh (Diffie-Hellman) group

The Diffie-Hellman key exchange (DH) is a method for the secure exchange of cryptographic keys via an unsecured communication channel. Generate a new set of 2048-bit DH parameters for added security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

You can change the size up to 4096 bits, but it can take more than 30 minutes to generate, depending on the system instinct.

Obtaining a Let’s Encrypt SSL Certificate

To get an SSL certificate for the domain we use the webroot plugin which creates a temporary file to validate the requested domain in the ${webroot-path}/.well-known/acme-challenge Directory. The Let’s Encrypt server makes HTTP requests to the temporary file to check whether the requested domain is resolved to the server on which certbot is running.

To make it easier, we’re going to map all HTTP requests for .well-known/acme-challenge in a single directory, /var/lib/letsencrypt.

Run the following commands to create the directory and make it writable by the Apache server.

sudo mkdir -p /var/lib/letsencrypt/.well-knownsudo chgrp www-data /var/lib/letsencryptsudo chmod g+s /var/lib/letsencrypt

To avoid duplicate code and to make the configuration easier to maintain, create the following two configuration snippets:

/etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
/etc/apache2/conf-available/ssl-params.conf
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Header always set Strict-Transport-Security "max-age=63072000"

The above excerpt uses the from. recommended chopper Mozilla
, enables OCSP stapling, HTTP Strict Transport Security (HSTS) and enforces few security-related HTTP headers.

Before activating the configuration files, make sure that both mod_ssl and mod_headers are activated by the output of:

sudo a2enmod sslsudo a2enmod headers

Next, enable the SSL configuration files by running the following commands:

sudo a2enconf letsencryptsudo a2enconf ssl-params

Enable the HTTP / 2 module which will make your websites faster and more robust:

sudo a2enmod http2

Reload the Apache configuration for the changes to take effect:

sudo systemctl reload apache2

We can now run the Certbot tool with the webroot plugin and get the SSL certificate files:

sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

When the SSL certificate is successfully obtained, certbot prints the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-10-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now that you have the certificate files, edit your virtual domain host configuration as follows:

/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80> 
  ServerName example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # Other Apache Configuration

</VirtualHost>

With the above configuration, we are enforcing HTTPS and redirecting from the www to the non-www version. Adjust the configuration according to your needs.

Reload the Apache service for the changes to take effect:

sudo systemctl reload apache2

You can now open your website with https://, and you’ll see a green lock icon.

If you have your domain with the. testing SSL Labs server test
, you will get the grade A + as shown below:

Automatic renewal of the Let’s Encrypt SSL certificate

Let’s Encrypt certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cron job that runs twice a day and automatically renews each certificate 30 days before it expires.

Once the certificate has been renewed, we also need to reload the Apache service. Attach --renew-hook "systemctl reload apache2" to the /etc/cron.d/certbot File so that it looks like this:

/etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

To test the renewal process, you can use the certbot. use --dry-run Counter:

sudo certbot renew --dry-run

If there are no errors, it means that the renewal process was successful.

diploma

In this tutorial, we’ve talked about how to use the Let’s Encrypt client Certbot on Ubuntu 20.04 to get SSL certificates for your domains. We also showed you how to configure Apache to use the certificates and set up a cron job for automatic certificate renewal.

To learn more about the Certbot script, visit the Certbot documentation
.

If you have any questions or feedback, please feel free to leave a comment.

This post is part of the How to install the LAMP stack on Ubuntu 20-04 Series.
Further articles in this series:


How to install MySQL on Ubuntu 20.04

How to install Apache on Ubuntu 20.04

How to install PHP on Ubuntu 20.04

How to set up Apache virtual hosts on Ubuntu 20.04

Secure Apache with Let’s Encrypt on Ubuntu 20.04

This post is part of the How to install the LAMP stack on Ubuntu 20-04 Series.
Further articles in this series:


How to install MySQL on Ubuntu 20.04

How to install Apache on Ubuntu 20.04

How to install PHP on Ubuntu 20.04

How to set up Apache virtual hosts on Ubuntu 20.04

Secure Apache with Let’s Encrypt on Ubuntu 20.04

How to install MySQL on Ubuntu 20.04

How to install Apache on Ubuntu 20.04

How to install PHP on Ubuntu 20.04

How to set up Apache virtual hosts on Ubuntu 20.04

Secure Apache with Let’s Encrypt on Ubuntu 20.04