Tutorials > How to secure Apache with Let's Encrypt on Ubuntu 18.04

How to secure Apache with Let's Encrypt on Ubuntu 18.04

Published on: 16 January 2020

Apache Security SSL Ubuntu

In this tutorial it is shown how to secure an Apache web server with Ubuntu 18.04 through the installation of a Secure Sockets Layer (SSL) certificate. Nowadays, enabling an encrypted connection to the web server is fundamental because it allows you to use the secure HTTPS protocol for your website.

To do so, Let's Encrypt, a Certification Authority that issues a free certificate completely in line with the required security standards, will be used. Let's Encrypt simplifies the process for installing the security certificate to help even the less experienced user secure a website through the use of the Certbot client.

First connect to your server via an SSH connection. If you haven’t done so yet, following our guide is recommendedto connect securely with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.

Installing CertBot

Add the Certbot repository.

$ sudo add-apt-repository ppa:certbot/certbot

At this point install Certbot using apt:

$ sudo apt install python-certbot-apache

After completing the installation you can proceed with the configuration of the firewall.

Configuration of the firewall

In case of a firewall on your system, set it to enable HTTP traffic and HTTPS traffic to your machine.

When using the UFW firewall, pre-installed profiles will be available for Apache. So let's see how to enable them.

To check the available profiles installed on the UFW firewall, run this command:

$ sudo ufw app list

A list similar to the following will be shown on the screen:

Available applications:

  Apache

  Apache Full

  Apache Secure

  OpenSSH

To allow HTTP (Port 80) and HTTPS (Port 443) traffic, use the "Apache Full" profile. 

Check your profile information as follows:

$ sudo ufw app info "Apache Full"

The description of the on-screen profile will appear:

Profile: Apache Full

Title: Web Server (HTTP,HTTPS)

Description: Apache v2 is the next generation of the omnipresent Apache web

server.
                Ports:

  80,443/tcp

After checking the profile, it can be enabled:

$ sudo ufw allow in "Apache Full"

Creating the SSL Certificate

At this point, ask for the certificate of the domain you want to protect using the previously installed Certbot.

Replace TUODOMINIO.IT with the domain name you want to protect:

$ sudo certbot --apache -d TUODOMINIO.IT -d www.TUODOMINIO.IT

N.B. the wording --apache specifies the Certbot to use the Apache plugin, while the wording - d indicates the domain names that the certificate will be used for.

At this point, specify your email address, accept the terms of service and indicate if you want to redirect the connections to your website towards an HTTPS connection.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

-------------------------------------------------------------------------------

1: No redirect -  No further changes to the webserver configuration.

2: Redirect -  To redirect all requests to secure HTTPS access. Choose this option fornew websites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

-------------------------------------------------------------------------------

Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

N.B. If there is already a CMS or script on your site, following our guide is recommended to check if it is compatible with an HTTPS connection before redirecting traffic.

Enter the number corresponding to your choice and, if the procedure is successful. a confirmation message will be shown on the screen.

Verifying the renewal of the Certificate

Let's Encrypt's SSL certificates are valid for 90 days after which they have to be renewed. Certbot takes also care of the automatic renewal of the certificates but to ensure that the procedure functioning correctly,following our guide is recommended to manually try to renew the certificate in this way:

$ sudo certbot renew --dry-run

If no error is displayed, then the renewal was successful. Otherwise, an email will be sent to the address entered during the certificate creation, when its expiration is approaching.