Let’s Encrypt: Secure Apache Web Server on Ubuntu 16.04

let's encrypt logo

Why HTTPS?

Starting with Chrome 56, the browser developed by Google marks non-secure pages containing password and credit card input fields as Not Secure in the URL bar. It was almost one year ago, when the Mountain View giant announced this choice.
Of course, everybody knows that secure is better then insecure; but in this case, the big problem with HTTP is that it lacks a system for protecting communications between clients and servers. This exposes data to different kinds of attacks, for instance, the “Man in the middle” (MIM), in which the attacker intercepts your data. If you are using some transaction system with your bank, using credit card infos, or just entering a password to log in to a web site, this can become very dangerous.
This is why HTTPS exists (HTTP over TLS, or, HTTP over SSL, or, HTTP Secure).
If you are on Unixmen, you probably know what this means: SSL/TLS ensures encrypted connections.
So, if your job is to keep a web server up and running on, you should switch to HTTPS.
To encrypt the traffic between server and client, web servers use SSL certificates. Let’s Encrypt helps in obtaining and installing a trusted certificate for free.

In this tutorial we will see how to secure an Apache Web Server on Ubuntu 16.04 using Let’s Encrypt.

Install Let’s Encrypt

Let’s Encrypt provides a client software which will fetch certificates almost automatically. This software is called Certbot, and the developers have their Ubuntu repository with up to date versions.

So, first of all, we will add the repository:

# add-apt-repository ppa:certbot/certbot

Next, update apt packages list:

# apt-get update

At this point, install Certbot:

# apt-get install python-certbot-apache

Install SSL Certificate

Once the Certbot client is installed, we can use it to obtain and install a new certificate for our server. It is possible to use a single certificate for many subdomains (or even domains). This can be done just passing all the domains as certbot argument.

# certbot --apache -d www.example.com -d example.com 

Certbot will present a step-by-step process to customize certificate options, and to enter information like email address. This last one will be used for key recovery. During the process it is possible to choice between which protocol to enable: both HTTP and HTTPS or HTTPS alone, which means that all requests will be automatically redirected. Of course, the best choice is to use only HTTPS, unless there are serious reasons to use unencrypted traffic to your server.

Testing Certificate

To verify the status of the SSL certificate, just go to the following link with a browser:

https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com&latest

Certificates Renewal

Let’s Encrypt certificates last for 90 days, so it’s up to you to renew. Using Certbot, you can test the automatic renewal system with this command:

certbot renew --dry-run

If it works, you can add a cron or systemd job to manage automatic renewal.

Conclusion

We have seen how easy can be to install a SSL certificate on an Apache Web Server, running on top of Ubuntu 16.04, by using the software client provided by Let’s Encrypt. At this point, if you go with your browser to https://www.example.com or https://example.com you will see that the site will be correctly served through HTTPS.