Setup Let’s Encrypt Free SSL For Apache and Nginx on Ubuntu 20.04

Setup Let’s Encrypt Free SSL For Apache and Nginx on Ubuntu 20.04

Let’s Encrypt is a Certificate Authority which provides free SSL. The free SSL requires renewal after 3 months. However, most of the process is automatic and doesn’t require manual configuration.

In this tutorial, we will configure Let’s Encrypt Free SSL for Apache2  and Nginx on Ubuntu 20.04. The official Certbot repository on Ubuntu 20.04 has some bugs, we will try to cover all the issues and alternative methods to fix them.  Now without wasting any more time let’s begin with the configuration.

If you haven’t installed LAMP stack on Ubuntu then you can follow this tutorial.

Setup LAMP stack on Ubuntu 20.04

 

Let’s Encrypt SSL configuration for Apache2 on Ubuntu 20.04

 

Step 1:  Install Let’s Encrypt Client “Certbot” on Ubuntu 20.04

Before getting started with the SSL configuration for Apache2, we need to install a Certbot client on Ubuntu 20.04.  Execute the following command on the terminal.

sudo apt install certbot python3-certbot-apache -y

Now we have Certbot Client installed on the Ubuntu server. Before we fetch the SSL certificate for Apache, we need to make sure that we have Apache virtual host enabled and 443 Port active for incoming connections.

Step 2: Enabling incoming Connections for HTTPS through Firewall

If you have ufw enabled on your server then execute the following command on the terminal to verify what kind of traffic is allowed on your server.

sudo ufw status

the output of this command is going to following.

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Apache                     ALLOW       Anywhere             
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Apache (v6)                ALLOW       Anywhere (v6)

We can see that Apache is only listening on port 80. Now to add the HTTPS port on the firewall, we just need to allow the “Apache FULL” profile and remove the existing rule for  Apache. Execute the following command on the server.

sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

Now let’s verify if the new rule is active or not.

sudo ufw status

The output of this command should be

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Apache Full                ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Apache Full (v6)           ALLOW       Anywhere (v6)        

Now apache is listening on 443 SSL port.  We are ready to fetch SSL for the Apache virtual host now.

sudo certbot --apache

The above command will initiate the SSL obtaining process and the script will ask you a series of questions. Let’s cover them step by step.

The script will ask you for your email, this is important for renewing your SSL certificate. Simply add the email address you want and hit the “Enter ” button.

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): Your-EMail-Address

 

The next step is to Agree with the Let’s Encrypt Terms of Service. Add value “A” in the console to agree and hit the “Enter ” button.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

The next prompt will ask you if you want to share your email will Electonic Frontier. Simply add “N” if you don’t want to share your email.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

 

The next step is very important, we need to decide if we need SSL for the “ServerName ” variable in the apache virtual host file or “ServerAlias”. It’s better to select both, so just simply hit the “Enter” button. This will obtain the SSL certificate for both the Variables.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Your-DomainName or ServerName Value in Virtualhost
2: www.YourServernameAlias
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You will get the following output

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for your_domain
http-01 challenge for www.your_ServerAlias
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/your_domain-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/your_domain-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf

In the next step, select from the available values if you want to redirect all the HTTP traffic to HTTPS. After this, you will get the following output

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your_domain and
https://www.your ServerAlias

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your_domain/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your_domain/privkey.pem
   Your cert will expire on 2020-07-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Congratulations!  It’s active for Apache. Now simply open your Browser and check your domain, it should be accessible on https port. Now we need to check if the SSL renewal is working or not.

sudo certbot renew --dry-run

If you didn’t get any error then everything is working according to requirements. Now Let’s configure Let’s Encrypt for Nginx.

 

Setup Let’s Encrypt SSL Certificate For Nginx on Ubuntu 20.04

The Setup of Let’s Encrypt SSL for Nginx is Quite Similar to apache2, we just need to install the Nginx client on the server with the following command.

sudo apt install certbot python3-certbot-nginx -y

Now we have Certbot Nginx Client installed on the Server. We need to have Nginx Server Blocks Setup with the Server_Name Value configured. The Certbot client will detect the active block and try to fetch the SSL for it. Execute the following command on the terminal.

sudo certbot --nginx -d Yourdomain.com -d www.yourdomainalias.com

Now after this follow the instructions that we have shared for the Apache configuration. Provide your email and then agree with the Let’s Encrypt Agreement of Service.  Select the redirection option from the prompt and your SSL certificate is ready for your Nginx.

Now we need to allow 443 Port for incoming connections for Nginx in the ufw. Execute the following command to verify the status.

sudo ufw status

Output:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Now we need to add the “Nginx Full ” profile in the “ufw”  with the following command and remove the existing listener.

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Congratulations,  Let’s Encrypt SSL for Nginx is ready to use. You can hit your domain name in the browser to verify it. The Best method to verify if the SSL certificate is working according to the requirement is to check on SSL Labs.

Click Here to verify SSL Certificate

Now we need to verify if the Certbot SSL Renewal is working or not.

sudo certbot renew --dry-run

If you didn’t get any error, then everything is working perfectly.

 

If you are facing issues with the default repository on Ubuntu 20.04.  Then simply remove the existing Certbot Package from Ubuntu. We will use the snap to manage the package on the server.

sudo snap install --beta --classic certbot

This will install the Certbot Client on the server. Now to fetch SSL certificate automatically execute the following command.

 

sudo certbot --nginx

If you want to manually configure everything, then execute the following command.

sudo certbot certonly --nginx

Now the next step is to verify the Renewal Process.

sudo certbot renew --dry-run

You have successfully configured Let’s Encrypt SSL on Nginx and Apache.

 

Conclusion:  Installing Certbot client on Ubuntu 20.04 and configuring SSL cert is quite simple. We have covered all the necessary steps to get free SSL and renew it. However, if you got any error or you have questions, then add them up in the comments section. Our team will try to get back to asap.

 

Leave a Reply

Your email address will not be published. Required fields are marked *