Configuring Let’s Encrypt SSL Cert on Apache and Ubuntu 18.04

Configuring Let’s Encrypt SSL Cert for Apache on Ubuntu 18.04

Last updated on | 37 replies

Let’s Encrypt is a certificate authority that provides free SSL certificates that are just as secure as current paid certificates. In this guide we will configure an SSL certificate for Apache on Ubuntu 18.04.

Prerequisites

You should be using a non-root user with sudo privileges as explained in Ubuntu 18.04 / 19.10 Initial Server Setup.

You should also have Apache already installed and serving web pages before continuing with this guide. Please see Installing Apache on Ubuntu 18.04 / 19.10.

Cloudflare Users: Note that you may not need Let’s Encrypt and can instead use Cloudflare’s own shared Universal SSL certificate and an Origin CA. If you want to keep Cloudflare and also use Let’s Encrypt, you must Pause Cloudflare now, otherwise it will interfere with certificate deployment. Once the Let’s Encrypt cert is deployed, you must unpause and set SSL to Full (Strict) in the Cloudflare crypto settings, otherwise you may get a redirect loop error. Be warned that when Let’s Encrypt tries to auto renew after 90 days, it will fail if you have Cloudflare enabled.

1. Install Let’s Encrypt client (Certbot)

Let’s begin by updating the package lists and installing software-properties-common. Commands separated by && will run in succession.

sudo apt-get update && sudo apt-get install software-properties-common

Now add the repositories universe and certbot.

sudo add-apt-repository universe && sudo add-apt-repository ppa:certbot/certbot

Press ENTER if prompted.

Update the package lists again and install certbot for Apache. This is the Let’s Encrypt client.

sudo apt-get update && sudo apt-get install certbot python-certbot-apache

Press y and ENTER when prompted to continue.

2. Get an SSL Certificate

We will now obtain a cert for our test domain example.com. Certbot has an Apache plugin, which automates the certificate installation.

sudo certbot --apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Enter an email address where you can be contacted in case of urgent renewal and security notices.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

Press a and ENTER to agree to the Terms of Service.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

Press n and ENTER to not share your email address with EFF.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

If you have multiple domains already configured on your server, you will see a list of them here. In this example, we only have one domain example.com and its www. prefix.

Select option 1 if you don’t want to use the www. prefix in your website address, otherwise select option 2.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/example.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/example.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Press 2 and ENTER to redirect all traffic to HTTPS.

Redirecting vhost in /etc/apache2/sites-enabled/example.com.conf to ssl vhost in /etc/apache2/sites-available/example.com-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You’re done!

3. Test SSL

You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.

A successful test should receive an A rating.

4. Auto Renewal

As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.

To test that this renewal process is working correctly, you can run:

sudo certbot renew --dry-run

Cloudflare Users

Please ensure your Cloudflare SSL settings are correct. Log in to Cloudflare, go to Crypto and make sure SSL is set to Full (Strict).

Be warned that when Let’s Encrypt tries to auto renew after 90 days, it will fail if you have Cloudflare enabled.

Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.

37 replies

Leave a reply

Your email address will not be published. Required fields are marked *

  2. sudo add-apt-repository universe && sudo add-apt-repository ppa:certbot/certbot ==>No se puede añadir el PPA: «’Este PPA no admite focal’».

    Reply

  3. thank you very much for the proper input of information not only for cerbot but for setting up domains and website for my server. i am kinda new to this server thing trying to save my wife and i some money by hosting our own sites on are own server, i have been studying for a year now and you have been by far the most helpful and accurate person who has shared information that was honest. again thank you….

    Reply

  5. Excelente post! Hice todos los pasos y mi sitio está asegurado, no obstante, al acceder a la url me sigue poniendo “http” por defecto. Si añado “https” me sale la típica carpeta de “index of”. Es como si hubiera dos carpetas paralelas… me podrías ayudar?

    Reply

    1. Pienso que Hay que ver en
      /etc/apache2/sites-available/misitio.conf


      DocumentRoot /var/www/…
      ServerName misitio
      RewriteEngine on
      RewriteCond %{SERVER_NAME} =misitio
      RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

      **
      DocumentRoot /var/www/…
      ServerName misitio

      estuviera como si no hay documentRoot or virtualHost*:443…
      Buena suerte Michaela

      Reply

  6. Any reason why I get this ?

    Failed authorization procedure. mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/NQxXljRoQNXYlOGsGn34uISlcgLgxvPrQ60q_6eM-O4 [2001:4860:4802:34::15]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\" \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\n<html xmlns=\"http://www.w3.org"

    IMPORTANT NOTES:
    - The following errors were reported by the server:

    Domain: mydomain.com
    Type: unauthorized
    Detail: Invalid response from
    http://mydomain.com/.well-known/acme-challenge/NQxXljRoQNXYlOGsGn34uISlcgLgxvPrQ60q_6eM-O4
    [2001:4860:4802:34::15]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML

    Reply

  7. Hi Thank you for your articles, they really helped me. I was able to deploy a DO droplet from 0 knowledge of programming systems
    cheers

    Reply

  8. Hi, I take the error (when I give the “sudo certbot –apache” command) that my virtual host domain (like example.com) is unauthorized… what I have to do?

    Reply

  9. I take the error:
    Incorrect certificate because this client doesn’t support SNI
    Can anybody help me please ?
    Thanks a lot

    Reply

  11. Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.
    All renewal attempts failed. The following certs could not be renewed:

    Reply

    1. Can you access your domain through the browser without SSL? Because if not, you need to ensure your site is up and serving pages before running Certbot.

      Reply

  12. Very useful article!

    I’m new to SSL certificates, so maybe this is an inane question. My ISP blocks servers (without a specialized account), so I don’t have the ability to use a real URL. Is any way to get an SSL cert to work on http://localhost/ ?

    Reply

  13. Hi, thank you for the tutorial.

    How would I go if I just want to get a certificate for a subdomain? If i know the subdomain that I will user, do I type it or use the wildcard?

    I’m thinking something like this but I’m not to sure

    sudo certbot --apache -d sub.example.com -d www.example.com

    Thanks gain!

    Reply

    1. Just use sudo certbot --apache -d sub.example.com and drop the -d www.example.com. Assuming you pass the verification, you’ll get a certificate only for sub.example.com.

      Reply

  14. I entered the following: sudo certbot --apache -d devtest1.com -d www.devtest1.com -d www.example.com -i entered my email. i agreed to the terms and conditions. I said no to EFF. But, then I couldn't obtain any certificate: Obtaining a new certificate Performing the following challenges: http-01 challenge for devtest1.com http-01 challenge for http://www.devtest1.com http-01 challenge for http://www.example.com

    Reply

      1. thanks for the reply. I went back and tried that. Got this for both domains:

        Failed authorization procedure...
        IMPORTANT NOTES:
        -The following errors were reported by the server:
        Domain: www.pilbemaps.com
        Type: None
        Details: DNS problem: NXDOMAIN looking up A for www.pilbeamaps.com

        I started over from the top of this page. Same thing. I did a:

        sudo apt autoremove

        then started from the top again. Same error.

        Reply

  15. The guides @DevAnswers are the best I have ever seen. I have been able to get my site up and running and secure thanks to this site. Cannot prase yoy guys enough. Thanks. By the way I was prompted for my email.

    Reply

  16. Brilliant, thanks for that. So much easier than the way I have done it before.

    For me, it didn’t ask me for my e-mail address. Maybe they just send it to the “domain”? I simply got this message.

    IMPORTANT NOTES:
    – Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/**********/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/**********/privkey.pem
    Your cert will expire on 2018-12-26. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

    Reply

    1. Yes, they’ve improved certbot a lot over the past year. Much easier to set up now.

      I’m not sure why it’s not asking for email though, perhaps they changed it, or if you’ve run certbot before it might already have your email.

      Reply

  17. Excellent Article. I have one Query. I have setup two domains on singledigitalocean droplet. I installed Let’s encypt SSL on both domains. Now https://Domain1.com working fine but https://Domain2.com showing content of https://Domain1.com Both are working fine on Http version but I’m getting above issue when I open on Https. After spending a whole day on google, I found that there is some problem with configuration in 000-default.conf file but Don’t know what’s the proper configuration.
    Any help would be save my another day.
    Thank you

    Reply

    1. It could be many things and very difficult to know without looking at your setup, but most probably your virtual hosts aren’t configured properly.

      All I can suggest is that you start from scratch and follow my guide Installing Apache on Ubuntu 18.04 with Multiple Domains, then come back to this guide and run Certbot again to obtain your certs. Certbot should find your multiple domains and configure your Apache virtual hosts for you.

      Reply

      1. Hello .. Good night
        Congratulations on the tutorial
        Sharing knowledge changes the world

        I have 1 domain
        and 2 subdomains and I will probably have more

        I have to make a configuration for each domain
        or can i use the .conf parameters for the same domains?

        Reply