Secure Apache Using Certbot with Let's Encrypt on Ubuntu 20.04

Introduction

Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.

Step 1 — Installing Certbot

sudo apt install certbot python3-certbot-apache

You will be prompted to confirm the installation by pressing Y, then ENTER.

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  augeas-lenses libaugeas0 python3-acme python3-augeas python3-certbot python3-configargparse python3-future python3-icu python3-josepy python3-mock python3-parsedatetime
  python3-pbr python3-requests-toolbelt python3-rfc3339 python3-tz python3-zope.component python3-zope.event python3-zope.hookable
Suggested packages:
  augeas-doc python3-certbot-nginx python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-future-doc python-mock-doc
The following NEW packages will be installed:
  augeas-lenses certbot libaugeas0 python3-acme python3-augeas python3-certbot python3-certbot-apache python3-configargparse python3-future python3-icu python3-josepy
  python3-mock python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-tz python3-zope.component python3-zope.event python3-zope.hookable
0 upgraded, 20 newly installed, 0 to remove and 13 not upgraded.
Need to get 1734 kB of archives.
After this operation, 8991 kB of additional disk space will be used.
Do you want to continue? [Y/n]

Step 2 — Checking your Apache Virtual Host Configuration

sudo nano /etc/apache2/sites-available/your_domain.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName your_domain
    ServerAlias www.your_domain
    DocumentRoot /var/www/your_domain
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Then, run the following command to validate your changes:

sudo apache2ctl configtest
# Syntax OK

Once your configuration file’s syntax is correct, reload Apache so that the changes take effect:

sudo systemctl reload apache2

Step 3 — Allowing HTTPS Through the Firewall

To verify what kind of traffic is currently allowed on your server, you can use:

sudo ufw status

To additionally let in HTTPS traffic, allow the “Apache Full” profile and delete the redundant “Apache” profile:

sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

Step 4 — Obtaining an SSL Certificate

sudo certbot --apache

First, it will ask you for a valid e-mail address. This email will be used for renewal notifications and security notices:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): `your_email`

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)cancel: `A`

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: `N`

If you’d like to enable HTTPS for all listed domain names (recommended), you can leave the prompt blank and hit ENTER to proceed.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: `your_domain`
2: www.`your_domain`
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You’ll see output like this:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.`your_domain`
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/default-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/default-ssl.conf

Choose 2 to enable the redirection, or 1 if you want to keep both HTTP and HTTPS as separate methods of accessing your website.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

After this step, Certbot’s configuration is finished.

Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/christopher.tw.conf to ssl vhost in /etc/apache2/sites-enabled/default-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://`your_domain` and
https://www.`your_domain`

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=`your_domain`
https://www.ssllabs.com/ssltest/analyze.html?d=www.`your_domain`
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/christopher.tw/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/`your_domain`/privkey.pem
   Your cert will expire on 2021-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You can use the SSL Labs Server Test to verify your certificate’s grade and obtain detailed information about it, from the perspective of an external service.

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for 90 days.

certbot.timer script runs twice a day and will automatically renew any certificate that’s within 30 days of expiration. To check the status of this service and make sure it’s active and running, you can use:

sudo systemctl status certbot.timer

You’ll get output similar to this:

● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Wed 2020-11-04 08:08:54 UTC; 4h 8min ago
    Trigger: Wed 2020-11-04 23:08:03 UTC; 10h left
   Triggers: ● certbot.service

Nov 04 08:08:54 ip-172-31-35-201 systemd[1]: Started Run certbot twice daily.

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run

Checking your Configuration (Optional)

sudo nano default-ssl.conf
# sudo vim default-ssl.conf

<VirtualHost *:80>
    ServerName your_domain
    Redirect / https://your_domain
</VirtualHost>

<VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    ServerName your_domain
    ServerAlias www.your_domain
    DocumentRoot /var/www/your_domain

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/your_domain/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem
</VirtualHost>

sudo a2ensite default-ssl.conf

You’ll see output like this:

Enabling site default-ssl.
To activate the new configuration, you need to run:
  systemctl reload apache2

sudo apache2ctl configtest
# Syntax OK

sudo systemctl reload apache2

sudo a2enmod ssl

You’ll see output like this:

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2

References

1. How To Secure Apache with Let's Encrypt on Ubuntu 20.04 | DigitalOcean
2. virtual host setup step in the Apache installation tutorial
3. How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 20.04 | DigitalOcean
4. Welcome to the Certbot documentation! — Certbot 1.10.0.dev0 documentation
5. Documentation - Let's Encrypt - Free SSL/TLS Certificates