Research and Development
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.
Install a LAMP Stack with Virtual Hosts.
Add the repository:
sudo add-apt-repository ppa:certbot/certbot
Install Certbot’s Apache package with apt:
sudo apt install python-certbot-apache
Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.
If you followed the Virtual Host Setup, you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.conf with the ServerName directive already set appropriately.
If you have the ufw firewall enabled you’ll need to adjust the settings to allow for HTTPS traffic.
You can see the current setting by typing:
sudo ufw status
To additionally let in HTTPS traffic, allow the Apache Full profile and delete the redundant Apache profile allowance:
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following:
sudo certbot --apache -d your_domain -d www.your_domain
This runs certbot with the –apache plugin, using -d to specify the names you’d like the certificate to be valid for.
Alternatively, run:
sudo certbot --apache
to certify all domains in Virtual Host server.
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.