In the current environment of the internet, the use of HTTPS to secure web traffic is a must. With a free and automated Certificate Authority (CA) service like Let’s Encrypt, adoption of SSL/TLS has changed dramatically because you can quickly obtain trusted certificates at no cost.
This guide will walk you through installing a Let’s Encrypt certificate on an Apache web server running Ubuntu 22.04 (Jammy Jellyfish). You will configure Certbot (the official Let’s Encrypt client), set up renewal procedures, and establish good security practices.
Before proceeding, ensure you have:
sudo apt update
sudo apt upgrade
apache2 -v
. If not present, install via:sudo apt update
sudo apt install apache2
ping example.com
sudo ufw allow 'Apache Full'
sudo ufw enable
Let’s Encrypt recommends using Certbot through Snap for seamless updates. Ubuntu 22.04 includes Snap by default, but make sure it’s updated:
sudo snap install core
sudo snap refresh core
Install Certbot:
sudo snap install --classic certbot
Create a symbolic link to the Certbot binary for easy access:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Certbot integrates with Apache to automate certificate issuance and configuration. Run:
sudo certbot --apache
Follow the interactive prompts:
Certbot will:
/etc/letsencrypt/live/exple.com/
.Certbot updates automatically your configuration. Inspect the virtual host file for your domain:
sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf
Look for directives like:
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Ensure the SSL module is enabled:
sudo a2enmod ssl
sudo systemctl restart apache2
Validate your setup:
https://example.com
. Look for the padlock icon.curl
to check headers:sudo apt install curl
curl -I https://example.com
Confirm HTTP/2 200 or HTTP/1.1 200 OK.
Run a free analysis at SSL Server Test to discover vulnerabilities.
Let’s Encrypt certificates expire every 90 days. Certbot automates renewal via a systemd
timer. Test renewal manually:
sudo certbot renew --dry-run
If successful, Certbot’s timer will handle future renewals. Verify the timer status:
systemctl list-timers | grep certbot
sudo ufw status
dig example.com
sudo journalctl -u apache2
/var/log/letsencrypt/
.Add the Strict-Transport-Security header to your SSL config:
sudo a2enmod headers
sudo systemctl restart apache2
Then in the Apache config (/etc/apache2/apache2.conf
) configure:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Certbot usually handles this, but manually update non-SSL virtual hosts:
<VirtualHost *:80>
# Define the primary domain name for this virtual host
ServerName example.com
# Redirect all HTTP traffic to HTTPS permanently (status code 301)
# This ensures users always access the site securely
Redirect permanent / https://example.com/
</VirtualHost>
Edit /etc/letsencrypt/options-ssl-apache.conf
to prioritize strong ciphers:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
To further enhance your Apache and Let’s Encrypt setup, consider implementing the following advanced optimizations. These steps will not only improve security but also ensure your server performs efficiently under high traffic and adheres to modern web standards.
Online Certificate Status Protocol (OCSP) stapling improves SSL/TLS performance by allowing the server to provide proof of validity, reducing client-side verification delays. Enable OCSP stapling in your configuration (/etc/apache2/apache.conf
):
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
After making these changes, restart the web server:
sudo systemctl restart apache2
Verify OCSP stapling is working:
openssl s_client -connect example.com:443 -status -servername example.com
Look for OCSP Response Status: successful
in the output.
HTTP/2 enhances web performance by enabling multiplexing, header compression, and server push. To enable HTTP/2 in Apache, first ensure the http2
module is enabled:
sudo a2enmod http2
Then, add the following directive to your SSL virtual host:
Protocols h2 http/1.1
Restart Apache to apply the changes:
sudo systemctl restart apache2
Verify HTTP/2 is active by inspecting the response headers using browser developer tools or a tool like curl
:
curl -I -k --http2 https://example.com
If you manage multiple subdomains, a wildcard certificate simplifies management. To obtain a wildcard certificate with Certbot, use the DNS challenge method. First, install the DNS plugin for your DNS provider (e.g., Cloudflare):
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare
Install pip
and the cloudflare
package:
sudo apt update
sudo apt install python3-pip
sudo pip install cloudflare
Create a credentials file for your DNS provider:
sudo nano /etc/letsencrypt/cloudflare.ini
Add your API credentials:
dns_cloudflare_api_token = your_api_key
Secure the file:
sudo chmod 600 /etc/letsencrypt/cloudflare.ini
Request the wildcard certificate:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d example.com -d *.example.com
Update your configuration to use the wildcard certificate.
Regularly monitoring SSL/TLS usage helps identify potential issues and enhance performance. Apache’s mod_ssl
module provides detailed logs. Enable logging by integrating the following to your SSL virtual host configuration:
LogLevel info ssl:warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
Analyze logs for errors or unusual activity:
sudo tail -f /var/log/apache2/ssl_error.log
For advanced monitoring, consider tools like GoAccess or ELK Stack to visualize traffic patterns and SSL/TLS performance.
Adding security headers to your configuration can protect your site from common vulnerabilities like cross-site scripting (XSS) and clickjacking. Include the following directives in your virtual host file:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self';"
These headers make sure that browsers enforce strict security policies, minimizing the risk of attacks.
Securing your Apache as of Ubuntu 22.04 using Let's Encrypt is a must-do to create a trusted quality web presence. In this tutorial, we have learned how to fine-tune some of the advanced configuration options, such as OCSP stapling, HTTP/2, wildcard certificates, as well as monitoring and security headers. These configurations will help you protect your server while increasing its efficiency and scalability. Note that web security is an ongoing process! Stay informed about new and developing threats, updated SSL/TLS standards, and audit your setup and logs regularly to maintain your server security after securing it.