In this tutorial, you will learn how to install Let’s Encrypt with Apache2 on EC2 Ubuntu 18.04
Let’s Encrypt is an automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). SSL help you to secure your websites for having credit card transactions, sensitive information in data transfer, logins, etc.
To obtain an SSL certificate on your website, you need to install a third-party agent to we called Certbot. Certbot provides an easy way to obtain and install trusted certificates for free from Let’s Encrypt. Using SSL certificate you can establish a secure encrypted connection between a web server and a client browser.
What will you do
- Installing Apache2 web server
- Installing Certbot and Apache plugins for Certbot
- Configuring Apache virtual host
- Obtaining an SSL Certificate with Let’s Encrypt
- Verify your website and Apache virtual host configuration
- Renewal of SSL Certificate
Requirements
- AWS Account. Create your own AWS Account
- Amazon EC2 Ubuntu 18.04. Learn how to deploy Ubuntu 18.04 on AWS
- Allow Inbound (Port 80, 443) from you Amazon EC2 Security Groups
- A user with sudo privilege command.
To get started, this guide will show you through step process on how to install Let’s Encrypt with Apache2 on EC2 Ubuntu 18.04 server.
In this tutorial, you will learn how to install Let’s Encrypt with Apache2 on EC2 Ubuntu 18.04
Step 1. Installing Apache2 web server
Open your terminal console on your system and remote into your EC2 Ubuntu 18.04 Server using SSH command. From the remote server install the latest version of Apache2 web server.
To install the latest Apache web serve, add the official package repository to your system:
sudo add-apt-repository ppa:ondrej/apache2
And then install the following:
sudo apt update && sudo apt-get install apache2 -y
After installed, verify your Apache2 version, run:
sudo apache2ctl -v
Output:
Server version: Apache/2.4.41 (Ubuntu) Server built: 2020-06-02T20:30:26
Step 2. Installing Certbot and Apache plugins for Certbot
Before we run the installation, add the official package of repository to your system ubuntu, type:
sudo add-apt-repository ppa:certbot/certbot
Run system update to synchronize packages from latest version.
sudo apt update
Then install Certbot and Apache plugin for Certbot, type:
sudo apt install certbot python3-certbot-apache -y
After installation completed, verify Certbot if installed properly.
which certbot
Output:
/usr/bin/certbot
Step 3. Configuring Apache Virtual Host
Open your Apache2 configuration files at /etc/apache2/sites-available/.
cd /etc/apache2/sites-available
Modify the default vhost file using vim text editor.
sudo vim 000-default.conf
Press key dG to delete all lines and then press i to insert new text.
We assume that you deploying a WordPress website. Copy the example virtual host entry below and paste it to your default vhost file:
Then save and exit the file.
Next, run command apache2ctl configtest to check your virtual host configuration, type:
sudo apache2ctl configtest
If you see everything is fine, then reload your Apache2 service to apply the new changes.
sudo service apache2 reload
Note: You cannot obtain an SSL certificate if you used an IP address only so make sure you have domain name to associate your public IP address.
Now open your web browser and enter your site domain name.
If you can browse your website with the HTTP protocol, then your website is ready go to obtain a new ssl certificate file.
Step 4. Obtaining an SSL Certificate with Let’s Encrypt
There are two ways by obtaining an SSL certificate at Certbot.
Option 1: Run this command if you want Certbot will take care to edit your Apache virtual host file and automatically turn on HTTPS access in a single step.
sudo certbot --apache
Option 2: Run this command just to get a certificate only. If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand.
sudo certbot certonly --apache
In this tutorial, I will choose option (1).
To obtain a new SSL certificate from Let’s Encrypt, run command:
sudo certbot --apache
In the prompt console, provide your email address required for renewal and security updates:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): hello@gmail.com
Next, type A to agree the Terms of Service of Let’s Encrypt.
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: A
Next, If you want to receive any updates from Let’s Encrypt, type Y (yes).
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: Y
And then, Select domain names would you like to generate an SSL certificate. In this tutorial, I will leave the input blank to automatically select all my domain names and hit Enter to continue.
Which names would you like to activate HTTPS for? 1: example.com 2: www.example.com Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
Output:
Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Waiting for verification… Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Next, choose an option Redirect because I am confident for my site works on HTTPS.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Output:
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf Congratulations! You have successfully enabled https://example.com and https://www.example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-11-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
See: https://certbot.eff.org/docs/using.html
Step 5. Verify your website and Apache virtual host configuration
Now open your Apache site configuration directory at /etc/apache2/site-available to verify your site file configuration.
cd /etc/apache2/site-available
Then type the ls command to validate for a new site file.
ls
Output:
000-default.conf 000-default-le-ssl.conf
And you will see our new SSL virtual host file automatically added by name 000-default-le-ssl.conf.
To view the file use cat command, type:
cat 000-default-le-ssl.conf
Output:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@example.com DocumentRoot /var/www/wordpress ServerName example.com ServerAlias www.example.com <Directory /var/www/wordpress/> Options +Includes Options +FollowSymlinks -Indexes AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost> </IfModule>
This is an auto-generated file from the previous copy of our default port 80 virtual host. The site file contains of important line section for SSL certificate configuration pointed to the Let’s Encrypt file certificate directory that obtained earlier using Certbot tool.
Next, view the content of 000-default.conf file, type command:
cat 000-default.conf
Output:
<VirtualHost *:80> ServerAdmin webmaster@example.com DocumentRoot /var/www/wordpress ServerName example.com ServerAlias www.example.com <Directory /var/www/wordpress/> Options +Includes Options +FollowSymlinks -Indexes AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =www.example.com [OR] RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>
You will see a newly added rewrite configuration line on our port 80 virtual host file. For the purpose of your website to automatically redirected to HTTPS traffic when a new user using an HTTP request.
After all the above installation, you need to make sure for the Apache virtual host file configuration is working properly. To testing the Apache configuration file, run the command:
sudo apache2ctl configtest
If everything is fine. Then begin to reboot your Apache2 service to apply the new changes.
sudo service apache2 restart
Now open your web browser and enter your domain name from your web server https://example.com/.
Step 6. Renewal of SSL Certificate
Let’s Encrypt issued only a valid SSL certificate for 90 days and you will need to renew it order to get a new certificate.
If you only run one domain from your web server, you can easily manage the renewal configuration of your SSL certificate using on Linux crontab jobs.
To configure for renewal of your certificate file, type command:
crontab -e
And add the following line below at the bottom line.
@daily /usr/bin/certbot renew >> /var/log/letsencrypt-renew.log
Save and close the file.
Note: You can customize your own scheduled date when you want to run the script on crontab. Once certbot recognizes your certificate is about to expire then certbot will automatically attempt to renew your certificate.
If you want to setup a specific date on crontab, then customize your cron date at https://crontab.guru/.
Then restart your crontab service to apply the new changes, type command:
sudo service cron reload
If you have more than one domain from your web server, you can use my custom renewal script on Github.
https://github.com/imgeraldalinio/certbot/blob/master/renew-ssl-cert.sh
That’s all.
I hope this tutorial helped you and feel free to comment section below for more suggestions.
Tags: #letsencrypt, apache2, aws, ec2, ssl, ssl certificate, ubuntu, ubuntu 18.04
I ran this command: certbot –apache -d linuxbuz.com
I am getting the following error:
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: linuxbuz.com
Type: connection
Detail: Fetching
https://linuxbuz.com/.well-known/acme-challenge/ewpBCX7N0nzDyBZZILYP-y9sKHI4seFGac4Se7TpwfA:
Connection refused
Hi Mukesh,
Connection refused means that the port you are trying to connect to is not actually open. From your Amazon EC2 Inbound Security group please allow the port 80 and 443.
Hello. I have several websites on an apache server. I am using the configuration site1.conf, site2.conf and so on. How can I manage certificates? Since sometimes I get a 404 error on WordPress sites, sometimes only the home page works and the subpages don’t work.
I am using CloudFlare on my domains. I realized that in some cases, passing them in Flexible SSL solves it, but in others I must pass them in “Full”
Thanks in advance for the help.