How to configure free SSL Certificate with Certbot LetsEncrypt on Ubuntu Linux 20.04 LTS with Apache.
In this article we will deal with installing SSL Certificate for our Web Page on server with Ubuntu Linux 20.04 LTS with Apache Web Server.
Lets Encrypt — an easy and free service.
We can read on the page (https://letsencrypt.org/about/):
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
The key principles behind Let’s Encrypt are:
Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
Open: The automatic issuance and renewal protocol is published as an open standard that others can adopt.
Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Prerequirements for our task
We need to be sure we have DNS A Records configured to handle full hostname — in this case two names:
- linux-admin.jurkiewicz.tech
- www.linux-admin.jurkiewicz.tech
In Apache website config file we have to set our names:
root@linux-admin:~# vim /etc/apache2/sites-enabled/000-default.conf
#
<VirtualHost *:80>
ServerName linux-admin.jurkiewicz.tech
ServerAlias www.linux-admin.jurkiewicz.tech
</VirtualHost>After that, to be sure, that eferything is ok, wait about one hour for DNS propagating, also restart and check Apache status:
root@linux-admin:~# systemctl reload apache2.service
#
root@linux-admin:~# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-09-30 16:20:31 CEST; 1h 24min ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 821 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Process: 1716 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Main PID: 869 (apache2)
Tasks: 12 (limit: 2220)
Memory: 85.4M
CPU: 13.912s
CGroup: /system.slice/apache2.service
├─ 869 /usr/sbin/apache2 -k start
├─2953 /usr/sbin/apache2 -k start
├─3012 /usr/sbin/apache2 -k start
├─3017 /usr/sbin/apache2 -k start
├─3020 /usr/sbin/apache2 -k start
├─3148 /usr/sbin/apache2 -k start
├─3149 /usr/sbin/apache2 -k start
├─3182 /usr/sbin/apache2 -k start
├─3214 /usr/sbin/apache2 -k start
├─3215 /usr/sbin/apache2 -k start
├─3234 /usr/sbin/apache2 -k start
└─3235 /usr/sbin/apache2 -k start
Sep 30 16:20:31 linux-admin.jurkiewicz.tech systemd[1]: Starting The Apache HTTP Server...Also we have to be sure, that ports 80 (http) and 443 (https) are OPEN:
root@linux-admin:~# ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6) Why allow traffec on port 80 (http)? Because Certbot uses it to deploy new SSL certificate.
Installing Certbot software
In order to deploy our certificate, we have to install it on our server — that is easy:
root@linux-admin:~# apt install certbot python3-certbot-apache
#
#
# Checking installed software
root@linux-admin:~# dpkg -l | grep certbot
ii certbot 1.21.0-1build1 all automatically configure HTTPS using Let's Encrypt
ii python3-certbot 1.21.0-1build1 all main library for certbot
ii python3-certbot-apache 1.21.0-1 all Apache plugin for Certbot
root@linux-admin:~# Deploying — just 2 minutes.
Creating and deploying certificate for such prepared domain is as easy as one command:
root@linux-admin:~# certbot --apacheW have to answer some questions and after few minutes we are done.
Successfully deployed certificate for linux-admin.jurkiewicz.tech to /etc/apache2/sites-available/000-default-le-ssl.conf
Successfully deployed certificate for www.linux-admin.jurkiewicz.tech to /etc/apache2/sites-available/000-default-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://linux-admin.jurkiewicz.tech and https://www.linux-admin.jurkiewicz.techThat is it! Great Job….
We can check https://linux-admin.jurkiewicz.tech
It is worth to mention how it is done, that if you write http://linux-admin.jurkiewicz.tech, the adress is overwriting with: https://linux-admin.jurkiewicz.tech
We should look at configuration file — there is RewritingRule:
root@linux-admin:~# vim /etc/apache2/sites-enabled/000-default.conf
#
# Inside
<VirtualHost *:80>
# [...]
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.linux-admin.jurkiewicz.tech [OR]
RewriteCond %{SERVER_NAME} =linux-admin.jurkiewicz.tech
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>Automatic renewal of our certificate
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process, as well as to ensure that misused certificates or stolen keys will expire sooner rather than later.
The certbot package you installed takes care of renewals by including a renew script to /etc/cron.d, which is managed by a systemctl service called certbot.timer. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
After deploying certificate all we have to do is to check.
root@linux-admin:~# systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Sat 2023-09-30 16:20:29 CEST; 35min ago
Trigger: Sun 2023-10-01 09:50:35 CEST; 16h left
Triggers: ● certbot.service
Sep 30 16:20:29 linux-admin.jurkiewicz.tech systemd[1]: Started Run certbot twice daily.If we want to see more datailed information, we can do:
root@linux-admin:~# systemctl show certbot.timer
Unit=certbot.service
TimersCalendar={ OnCalendar=*-*-* 00,12:00:00 ; next_elapse=Sun 2023-10-01 00:00:00 CEST }
OnClockChange=no
OnTimezoneChange=no
NextElapseUSecRealtime=Sun 2023-10-01 09:50:35 CEST
[........]We can do autorenewing test — that is recommended action, to see, if there is no mistake.
root@linux-admin:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/linux-admin.jurkiewicz.tech.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for linux-admin.jurkiewicz.tech and www.linux-admin.jurkiewicz.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/linux-admin.jurkiewicz.tech/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Congratulations, all simulated renewals succeeded!
We have everything what we need!
If you like such documents, please let me „Clap”.
