Setup Let’s Encrypt Free SSL For Apache and Nginx on Ubuntu 20.04
Let’s Encrypt is a Certificate Authority which provides free SSL. The free SSL requires renewal after 3 months. However, most of the process is automatic and doesn’t require manual configuration.
In this tutorial, we will configure Let’s Encrypt Free SSL for Apache2 and Nginx on Ubuntu 20.04. The official Certbot repository on Ubuntu 20.04 has some bugs, we will try to cover all the issues and alternative methods to fix them. Now without wasting any more time let’s begin with the configuration.
If you haven’t installed LAMP stack on Ubuntu then you can follow this tutorial.
Setup LAMP stack on Ubuntu 20.04
Let’s Encrypt SSL configuration for Apache2 on Ubuntu 20.04
Step 1: Install Let’s Encrypt Client “Certbot” on Ubuntu 20.04
Before getting started with the SSL configuration for Apache2, we need to install a Certbot client on Ubuntu 20.04. Execute the following command on the terminal.
sudo apt install certbot python3-certbot-apache -y
Now we have Certbot Client installed on the Ubuntu server. Before we fetch the SSL certificate for Apache, we need to make sure that we have Apache virtual host enabled and 443 Port active for incoming connections.
Step 2: Enabling incoming Connections for HTTPS through Firewall
If you have ufw enabled on your server then execute the following command on the terminal to verify what kind of traffic is allowed on your server.
sudo ufw status
the output of this command is going to following.
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache (v6) ALLOW Anywhere (v6)
We can see that Apache is only listening on port 80. Now to add the HTTPS port on the firewall, we just need to allow the “Apache FULL” profile and remove the existing rule for Apache. Execute the following command on the server.
sudo ufw allow 'Apache Full' sudo ufw delete allow 'Apache'
Now let’s verify if the new rule is active or not.
sudo ufw status
The output of this command should be
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)
Now apache is listening on 443 SSL port. We are ready to fetch SSL for the Apache virtual host now.
sudo certbot --apache
The above command will initiate the SSL obtaining process and the script will ask you a series of questions. Let’s cover them step by step.
The script will ask you for your email, this is important for renewing your SSL certificate. Simply add the email address you want and hit the “Enter ” button.
Output Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): Your-EMail-Address
The next step is to Agree with the Let’s Encrypt Terms of Service. Add value “A” in the console to agree and hit the “Enter ” button.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
The next prompt will ask you if you want to share your email will Electonic Frontier. Simply add “N” if you don’t want to share your email.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
The next step is very important, we need to decide if we need SSL for the “ServerName ” variable in the apache virtual host file or “ServerAlias”. It’s better to select both, so just simply hit the “Enter” button. This will obtain the SSL certificate for both the Variables.
Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Your-DomainName or ServerName Value in Virtualhost 2: www.YourServernameAlias - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
You will get the following output
Obtaining a new certificate Performing the following challenges: http-01 challenge for your_domain http-01 challenge for www.your_ServerAlias Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/your_domain-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf Enabling available site: /etc/apache2/sites-available/your_domain-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf
In the next step, select from the available values if you want to redirect all the HTTP traffic to HTTPS. After this, you will get the following output
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://your_domain and https://www.your ServerAlias You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=your_domain https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2020-07-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Congratulations! It’s active for Apache. Now simply open your Browser and check your domain, it should be accessible on https port. Now we need to check if the SSL renewal is working or not.
sudo certbot renew --dry-run
If you didn’t get any error then everything is working according to requirements. Now Let’s configure Let’s Encrypt for Nginx.
Setup Let’s Encrypt SSL Certificate For Nginx on Ubuntu 20.04
The Setup of Let’s Encrypt SSL for Nginx is Quite Similar to apache2, we just need to install the Nginx client on the server with the following command.
sudo apt install certbot python3-certbot-nginx -y
Now we have Certbot Nginx Client installed on the Server. We need to have Nginx Server Blocks Setup with the Server_Name Value configured. The Certbot client will detect the active block and try to fetch the SSL for it. Execute the following command on the terminal.
sudo certbot --nginx -d Yourdomain.com -d www.yourdomainalias.com
Now after this follow the instructions that we have shared for the Apache configuration. Provide your email and then agree with the Let’s Encrypt Agreement of Service. Select the redirection option from the prompt and your SSL certificate is ready for your Nginx.
Now we need to allow 443 Port for incoming connections for Nginx in the ufw. Execute the following command to verify the status.
sudo ufw status
Output:
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
Now we need to add the “Nginx Full ” profile in the “ufw” with the following command and remove the existing listener.
sudo ufw allow 'Nginx Full' sudo ufw delete allow 'Nginx HTTP'
Congratulations, Let’s Encrypt SSL for Nginx is ready to use. You can hit your domain name in the browser to verify it. The Best method to verify if the SSL certificate is working according to the requirement is to check on SSL Labs.
Click Here to verify SSL Certificate
Now we need to verify if the Certbot SSL Renewal is working or not.
sudo certbot renew --dry-run
If you didn’t get any error, then everything is working perfectly.
If you are facing issues with the default repository on Ubuntu 20.04. Then simply remove the existing Certbot Package from Ubuntu. We will use the snap to manage the package on the server.
sudo snap install --beta --classic certbot
This will install the Certbot Client on the server. Now to fetch SSL certificate automatically execute the following command.
sudo certbot --nginx
If you want to manually configure everything, then execute the following command.
sudo certbot certonly --nginx
Now the next step is to verify the Renewal Process.
sudo certbot renew --dry-run
You have successfully configured Let’s Encrypt SSL on Nginx and Apache.
Conclusion: Installing Certbot client on Ubuntu 20.04 and configuring SSL cert is quite simple. We have covered all the necessary steps to get free SSL and renew it. However, if you got any error or you have questions, then add them up in the comments section. Our team will try to get back to asap.