Tutorial

How To Secure Apache with Let's Encrypt on Ubuntu 14.04

Published on December 18, 2015

Erika Heidi and Erika Heidi

Not using Ubuntu 14.04?Choose a different version or distribution.

Ubuntu 14.04

###Introduction

This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 14.04 server running Apache as a web server.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

##Prerequisites

In order to complete this guide, you will need:

An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
The Apache web server installed with one or more domain names properly configured

When you are ready to move on, log into your server using your sudo-enabled account.

##Step 1 — Download the Let’s Encrypt Client

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the certbot software on your server. The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it’s worth using this repository to install a newer Certbot than provided by Ubuntu.

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:

sudo apt-get update

And finally, install Certbot from the new repository with apt-get:

sudo apt-get install python-certbot-apache

The certbot Let’s Encrypt client is now ready to use.

##Step 2 — Set Up the SSL Certificate

Generating the SSL Certificate for Apache using the certbot Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:

sudo certbot --apache -d example.com

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:

sudo certbot --apache -d example.com -d www.example.com

For this example, the base domain will be example.com.

You will be prompted to provide an email address for lost key recovery and notices, and you will be need to agree to the Let’s Encrypt terms of service. You’ll then be asked to choose between enabling both http and https access or force all requests to redirect to https.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

You should now be able to access your website using a https prefix.

Step 3 — Verifying Certbot Auto-Renewal

Let’s Encrypt certificates only last for 90 days. However, the certbot package we installed takes care of this for us by running certbot renew twice a day via a systemd timer. On non-systemd distributions this functionality is provided by a cron script placed in /etc/cron.d. The task runs twice daily and will renew any certificate that’s within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

##Conclusion

In this guide, we saw how to install a free SSL certificate from Let’s Encrypt in order to secure a website hosted with Apache. We recommend that you check the official Let’s Encrypt blog for important updates from time to time, and read the Certbot documentation for more details about the Certbot client.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Erika Heidi

author

Developer Advocate

Dev/Ops passionate about open source, PHP, and Linux.

Erika Heidi

editor

Developer Advocate

Dev/Ops passionate about open source, PHP, and Linux.

Still looking for an answer?

Ask a question Search for more help

Was this helpful?

10 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Denis • December 19, 2015

I had had problem in ubuntu 14.04 server with python. So i add ppa for never python version (it is bad idea lol) Also if you have TLS cert it is good idea to enable HTTP/2 in your server too.

danK010 • December 20, 2015

I’ve been unable to successfully install this cert. Every time I try to install it, I’m thrown to a screen stating “We were unable to find a vhost with a ServerName or Address of mydomain.com
Which virtual host would you like to choose?”

No matter which option I choose, I’m then faced with the following error message. “Error while running apache2ctl configtest. Action ‘configtest’ failed. The Apache error log may have more information. AH00526: Syntax error on line 14 of /etc/apache2/sites-enabled/000-default.conf.save-le-ssl.conf: ServerName takes one argument, The hostname and port of the server”

Any idea how I can get this working?

stefanorg • December 20, 2015

Hi Erika, what about installing on centos?

shashuec • December 21, 2015

Great Article.I just set up for my domain. Just set up the virtual host as per https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts if you are getting the default.conf tab.

Sambego • December 21, 2015

Hi @erikaheidi, thanks for this article and renewal script! I recently made a blog post describing how to set it up with nginx, in this post I’ve added a link to this post, and a link to an edited le-renew script which I’ve made to run with nginx, based on the script you provide in this post. I hope you don’t mind :)

The blog post can be read here

pritamborkar • December 22, 2015

Solved

"I tried following these instructions but seem to get an error that says

"IMPORTANT NOTES:

The following ‘urn:acme:error:connection’ errors were reported by the server:

Domains: mydomain.com Error: The server could not connect to the client to verify the domain"

I had to unblock port 443 in ufw

Thanks for the tutorial.

Jannik • December 24, 2015

Hej there, I am always getting the following error when hitting ./letsencrypt-auto --apache --d iamjannik.me:

Updating letsencrypt and virtual environment dependencies.../root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
./root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
./root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Failed building wheel for cryptography
  Failed building wheel for cffi
Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-H1F6og/cffi/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-NfyK5J-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cffi" failed with error code 1 in /tmp/pip-build-H1F6og/cffi

Maybe, one of you can help me… :/

SimonTaplin • December 26, 2015

Is there a away for Apache to force visitors to use HTTPS only. I had the option selected but I can still browse my site on http://www.mysite.com - https://www.mysite.com does also work.

yycman • December 27, 2015

Thanks for the tutorial. Very helpful.

Seems the default version of python supplied with Ubuntu 14.04 may need some extra updates to run letsencrypt. I needed to update python’s ssl libraries:

apt-get install python-dev libffi-dev libssl-dev
apt-get install python-pip
pip install 'requests[security]'
pip install pyopenssl ndg-httpsclient pyasn1

Then I needed to import ssl into python.

python
import ssl
quit()

Also, I found my domain name example.com must have an A record on the DNS server and it must be the same IP address as the A record for www.example.com A CNAME DNS record for www.example.com is not sufficient – it must be an A record.

whuber • December 31, 2015

Thanks for the article. Although the script will generate an error if you have multiple vhosts, it does generate the certificate even though it does not update the apache configuration. This is easily fixed by manually adding the statements to the vhost file for each site and restarting apache.