How to Install Let’s Encrypt with Apache
In the current environment of the internet, the use of HTTPS to secure web traffic is a must. With a free and automated Certificate Authority (CA) service like Let’s Encrypt, adoption of SSL/TLS has changed dramatically because you can quickly obtain trusted certificates at no cost.
This guide will walk you through installing a Let’s Encrypt certificate on an Apache web server running Ubuntu 22.04 (Jammy Jellyfish). You will configure Certbot (the official Let’s Encrypt client), set up renewal procedures, and establish good security practices on our VPS Hosting. This procedure especially will be useful for those who use Wordpress hosting for projects.
Prerequisites Copy link
Before proceeding, ensure you have:
- An Ubuntu 22.04 system. Update it with:
sudo apt update
sudo apt upgrade- Apache Installed: Confirm with
apache2 -v. If not present, install via:
sudo apt update
sudo apt install apache2- A registered domain (e.g., example.com) pointing to your server’s public IP. Check with:
ping example.com- Firewall Configured: Allow HTTP/HTTPS traffic:
sudo ufw allow 'Apache Full'
sudo ufw enable - Sudo Privileges: Access to a user account with administrative rights.
Step 1: Installing Certbot via Snap Copy link
Let’s Encrypt recommends using Certbot through Snap for seamless updates. Ubuntu 22.04 includes Snap by default, but make sure it’s updated:
sudo snap install core
sudo snap refresh coreInstall Certbot:
sudo snap install --classic certbotCreate a symbolic link to the Certbot binary for easy access:
sudo ln -s /snap/bin/certbot /usr/bin/certbotStep 2: Generating SSL Certificate with Certbot Copy link
Certbot integrates with Apache to automate certificate issuance and configuration. Run:
sudo certbot --apacheFollow the interactive prompts:
- Email Address: Enter for urgent renewal notifications.
- Terms of Service: Accept by typing A.
- Domain Selection: Choose the domain(s) to secure (e.g., example.com, www.example.com).
- HTTP to HTTPS Redirect: Select 2 to enforce HTTPS universally.
Certbot will:
- Generate certificates in
/etc/letsencrypt/live/exple.com/. - Modify virtual host files to activate SSL.
- Reload Apache to apply changes.
Step 3: Verifying Apache Configuration Copy link
Certbot updates automatically your configuration. Inspect the virtual host file for your domain:
sudo nano /etc/apache2/sites-available/example.com-le-ssl.confLook for directives like:
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.confEnsure the SSL module is enabled:
sudo a2enmod ssl
sudo systemctl restart apache2Step 4: Testing SSL/TLS Configuration Copy link
Validate your setup:
- Visit
https://example.com. Look for the padlock icon. - Use
curlto check headers:
sudo apt install curl
curl -I https://example.comConfirm HTTP/2 200 or HTTP/1.1 200 OK.
-
Run a free analysis at SSL Server Test to discover vulnerabilities.
Step 5: Automating Renewal Copy link
Let’s Encrypt certificates expire every 90 days. Certbot automates renewal via a systemd timer. Test renewal manually:
sudo certbot renew --dry-runIf successful, Certbot’s timer will handle future renewals. Verify the timer status:
systemctl list-timers | grep certbotTroubleshooting Common Issues Copy link
- Port Blocking: Ensure ports 80 and 443 are open:
sudo ufw status- Incorrect Domain Resolution: Verify DNS records with:
dig example.com- Configuration Errors: Check logs via:
sudo journalctl -u apache2- Certificate Renewal Failures: Inspect Certbot logs at
/var/log/letsencrypt/.
Advanced Configurations Copy link
Enforcing HTTPS with HSTS
Add the Strict-Transport-Security header to your SSL config:
sudo a2enmod headers
sudo systemctl restart apache2Then in the Apache config (/etc/apache2/apache2.conf) configure:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"Redirecting HTTP to HTTPS
Certbot usually handles this, but manually update non-SSL virtual hosts:
<VirtualHost *:80>
# Define the primary domain name for this virtual host
ServerName example.com
# Redirect all HTTP traffic to HTTPS permanently (status code 301)
# This ensures users always access the site securely
Redirect permanent / https://example.com/
</VirtualHost>Optimizing Cipher Suites
Edit /etc/letsencrypt/options-ssl-apache.conf to prioritize strong ciphers:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1To further enhance your Apache and Let’s Encrypt setup, consider implementing the following advanced optimizations. These steps will not only improve security but also ensure your server performs efficiently under high traffic and adheres to modern web standards.
Implementing OCSP Stapling
Online Certificate Status Protocol (OCSP) stapling improves SSL/TLS performance by allowing the server to provide proof of validity, reducing client-side verification delays. Enable OCSP stapling in your configuration (/etc/apache2/apache.conf):
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"After making these changes, restart the web server:
sudo systemctl restart apache2Verify OCSP stapling is working:
openssl s_client -connect example.com:443 -status -servername example.comLook for OCSP Response Status: successful in the output.
Configuring HTTP/2 for Improved Performance
HTTP/2 enhances web performance by enabling multiplexing, header compression, and server push. To enable HTTP/2 in Apache, first ensure the http2 module is enabled:
sudo a2enmod http2Then, add the following directive to your SSL virtual host:
Protocols h2 http/1.1Restart Apache to apply the changes:
sudo systemctl restart apache2Verify HTTP/2 is active by inspecting the response headers using browser developer tools or a tool like curl:
curl -I -k --http2 https://example.comSetting Up Wildcard Certificates
If you manage multiple subdomains, a wildcard certificate simplifies management. To obtain a wildcard certificate with Certbot, use the DNS challenge method. First, install the DNS plugin for your DNS provider (e.g., Cloudflare):
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflareInstall pip and the cloudflare package:
sudo apt update
sudo apt install python3-pip
sudo pip install cloudflareCreate a credentials file for your DNS provider:
sudo nano /etc/letsencrypt/cloudflare.iniAdd your API credentials:
dns_cloudflare_api_token = your_api_keySecure the file:
sudo chmod 600 /etc/letsencrypt/cloudflare.iniRequest the wildcard certificate:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d example.com -d *.example.comUpdate your configuration to use the wildcard certificate.
Monitoring and Logging SSL/TLS Usage
Regularly monitoring SSL/TLS usage helps identify potential issues and enhance performance. Apache’s mod_ssl module provides detailed logs. Enable logging by integrating the following to your SSL virtual host configuration:
LogLevel info ssl:warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
ErrorLog ${APACHE_LOG_DIR}/ssl_error.logAnalyze logs for errors or unusual activity:
sudo tail -f /var/log/apache2/ssl_error.logFor advanced monitoring, consider tools like GoAccess or ELK Stack to visualize traffic patterns and SSL/TLS performance.
Enhancing Security with Security Headers
Adding security headers to your configuration can protect your site from common vulnerabilities like cross-site scripting (XSS) and clickjacking. Include the following directives in your virtual host file:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self';"These headers make sure that browsers enforce strict security policies, minimizing the risk of attacks.
Final Thoughts Copy link
Securing your Apache as of Ubuntu 22.04 using Let's Encrypt is a must-do to create a trusted quality web presence. In this tutorial, we have learned how to fine-tune some of the advanced configuration options, such as OCSP stapling, HTTP/2, wildcard certificates, as well as monitoring and security headers. These configurations will help you protect your server while increasing its efficiency and scalability. Note that web security is an ongoing process! Stay informed about new and developing threats, updated SSL/TLS standards, and audit your setup and logs regularly to maintain your server security after securing it.
Also, we recommend you to check our low-latency US based VPS.