Learning Center
Apache

How to Install Let’s Encrypt with Apache

27 Mar 2025
Adnene Mabrouk
Adnene Mabrouk

In the current environment of the internet, the use of HTTPS to secure web traffic is a must. With a free and automated Certificate Authority (CA) service like Let’s Encrypt, adoption of SSL/TLS has changed dramatically because you can quickly obtain trusted certificates at no cost.

This guide will walk you through installing a Let’s Encrypt certificate on an Apache web server running Ubuntu 22.04 (Jammy Jellyfish). You will configure Certbot (the official Let’s Encrypt client), set up renewal procedures, and establish good security practices on our VPS Hosting. This procedure especially will be useful for those who use Wordpress hosting for projects.

Prerequisites
Copy link

Before proceeding, ensure you have:

  • An Ubuntu 22.04 system. Update it with:
sudo apt update
sudo apt upgrade
  • Apache Installed: Confirm with apache2 -v. If not present, install via:
sudo apt update
sudo apt install apache2
  • A registered domain (e.g., example.com) pointing to your server’s public IP. Check with:
ping example.com
  • Firewall Configured: Allow HTTP/HTTPS traffic:
sudo ufw allow 'Apache Full'
sudo ufw enable  
  • Sudo Privileges: Access to a user account with administrative rights.

Step 1: Installing Certbot via Snap
Copy link

Let’s Encrypt recommends using Certbot through Snap for seamless updates. Ubuntu 22.04 includes Snap by default, but make sure it’s updated:

sudo snap install core
sudo snap refresh core

Install Certbot:

sudo snap install --classic certbot

Create a symbolic link to the Certbot binary for easy access:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2: Generating SSL Certificate with Certbot
Copy link

Certbot integrates with Apache to automate certificate issuance and configuration. Run:

sudo certbot --apache

Follow the interactive prompts:

  • Email Address: Enter for urgent renewal notifications.
  • Terms of Service: Accept by typing A.
  • Domain Selection: Choose the domain(s) to secure (e.g., example.com, www.example.com).
  • HTTP to HTTPS Redirect: Select 2 to enforce HTTPS universally.

Certbot will:

  • Generate certificates in /etc/letsencrypt/live/exple.com/.
  • Modify virtual host files to activate SSL.
  • Reload Apache to apply changes.

Step 3: Verifying Apache Configuration
Copy link

Certbot updates automatically your configuration. Inspect the virtual host file for your domain:

sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf

Look for directives like:

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Ensure the SSL module is enabled:

sudo a2enmod ssl
sudo systemctl restart apache2

Step 4: Testing SSL/TLS Configuration
Copy link

Validate your setup:

  1. Visit https://example.com. Look for the padlock icon.
  2. Use curl to check headers:
sudo apt install curl
curl -I https://example.com

Confirm HTTP/2 200 or HTTP/1.1 200 OK.

  1. Run a free analysis at SSL Server Test to discover vulnerabilities.

Step 5: Automating Renewal
Copy link

Let’s Encrypt certificates expire every 90 days. Certbot automates renewal via a systemd timer. Test renewal manually:

sudo certbot renew --dry-run

If successful, Certbot’s timer will handle future renewals. Verify the timer status:

systemctl list-timers | grep certbot

Troubleshooting Common Issues
Copy link

  • Port Blocking: Ensure ports 80 and 443 are open:
sudo ufw status
  • Incorrect Domain Resolution: Verify DNS records with:
dig example.com
  • Configuration Errors: Check logs via:
sudo journalctl -u apache2
  • Certificate Renewal Failures: Inspect Certbot logs at /var/log/letsencrypt/.

Advanced Configurations
Copy link

Enforcing HTTPS with HSTS

Add the Strict-Transport-Security header to your SSL config:

sudo a2enmod headers
sudo systemctl restart apache2

Then in the Apache config (/etc/apache2/apache2.conf) configure:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Redirecting HTTP to HTTPS

Certbot usually handles this, but manually update non-SSL virtual hosts:

<VirtualHost *:80>
    # Define the primary domain name for this virtual host
    ServerName example.com

    # Redirect all HTTP traffic to HTTPS permanently (status code 301)
    # This ensures users always access the site securely
    Redirect permanent / https://example.com/
</VirtualHost>

Optimizing Cipher Suites

Edit /etc/letsencrypt/options-ssl-apache.conf to prioritize strong ciphers:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

To further enhance your Apache and Let’s Encrypt setup, consider implementing the following advanced optimizations. These steps will not only improve security but also ensure your server performs efficiently under high traffic and adheres to modern web standards.

Implementing OCSP Stapling

Online Certificate Status Protocol (OCSP) stapling improves SSL/TLS performance by allowing the server to provide proof of validity, reducing client-side verification delays. Enable OCSP stapling in your configuration (/etc/apache2/apache.conf):

SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

After making these changes, restart the web server:

sudo systemctl restart apache2

Verify OCSP stapling is working:

openssl s_client -connect example.com:443 -status -servername example.com

Look for OCSP Response Status: successful in the output.

Configuring HTTP/2 for Improved Performance

HTTP/2 enhances web performance by enabling multiplexing, header compression, and server push. To enable HTTP/2 in Apache, first ensure the http2 module is enabled:

sudo a2enmod http2

Then, add the following directive to your SSL virtual host:

Protocols h2 http/1.1

Restart Apache to apply the changes:

sudo systemctl restart apache2

Verify HTTP/2 is active by inspecting the response headers using browser developer tools or a tool like curl:

curl -I -k --http2 https://example.com

Setting Up Wildcard Certificates

If you manage multiple subdomains, a wildcard certificate simplifies management. To obtain a wildcard certificate with Certbot, use the DNS challenge method. First, install the DNS plugin for your DNS provider (e.g., Cloudflare):

sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

Install pip and the cloudflare package:

sudo apt update
sudo apt install python3-pip
sudo pip install cloudflare

Create a credentials file for your DNS provider:

sudo nano /etc/letsencrypt/cloudflare.ini

Add your API credentials:

dns_cloudflare_api_token = your_api_key

Secure the file:

sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Request the wildcard certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d example.com -d *.example.com

Update your configuration to use the wildcard certificate.

Monitoring and Logging SSL/TLS Usage

Regularly monitoring SSL/TLS usage helps identify potential issues and enhance performance. Apache’s mod_ssl module provides detailed logs. Enable logging by integrating the following to your SSL virtual host configuration:

LogLevel info ssl:warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log

Analyze logs for errors or unusual activity:

sudo tail -f /var/log/apache2/ssl_error.log

For advanced monitoring, consider tools like GoAccess or ELK Stack to visualize traffic patterns and SSL/TLS performance.

Enhancing Security with Security Headers

Adding security headers to your configuration can protect your site from common vulnerabilities like cross-site scripting (XSS) and clickjacking. Include the following directives in your virtual host file:

Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self';"

These headers make sure that browsers enforce strict security policies, minimizing the risk of attacks.

Final Thoughts
Copy link

Securing your Apache as of Ubuntu 22.04 using Let's Encrypt is a must-do to create a trusted quality web presence. In this tutorial, we have learned how to fine-tune some of the advanced configuration options, such as OCSP stapling, HTTP/2, wildcard certificates, as well as monitoring and security headers. These configurations will help you protect your server while increasing its efficiency and scalability. Note that web security is an ongoing process! Stay informed about new and developing threats, updated SSL/TLS standards, and audit your setup and logs regularly to maintain your server security after securing it.

Also, we recommend you to check our low-latency US based VPS.