How to Install Let’s Encrypt on Ubuntu 20.04 with Apache

In this article, we will show you how to install the Let’s Encrypt client on your Ubuntu 20.04 VPS, issue an SSL certificate for your domain, and configure it with the Apache web server.

Let’s Encrypt is a certificate authority organization (CA) that allows anyone to obtain a free SSL certificate with simple and automated commands. In this tutorial, we will use a tool called certbot, which is an official part of EFF’s effort to encrypt the entire Internet. Thanks to this convenient tool, setting up an SSL certificate to protect your website’s visitors and improve your website’s security has never been easier. All SSL certificates provided by Let’s Encrypt can be used for production/commercial purposes without any costs or fees. Let’s begin with the installation and setup.

Let’s start with the installation – it is a simple installation and will not take long.

Prerequisites

  • For the purposes of this tutorial, we will use an Ubuntu 20.04 VPS.
  • User with sudo privileges or full SSH root access is required. All of our VPSes come with root access.
  • A valid domain name pointed to your server’s IP address. In this tutorial, we will use domain.com as an example.

1. Connect to your Server

Before we begin, you need to connect to your server via SSH as the root user. To do this, use the following command:

ssh [email protected]_ADDRESS -p PORT_NUMBER

of course, you will need to replace IP_ADDRESS and PORT_NUMBER with your actual server IP address and SSH port number.

Once logged in, make sure that your server is up-to-date by running the following commands:

sudo apt update
sudo apt upgrade

2. Install the Apache2 Web Server

We chose to use one of the most popular web servers in our article. We will be installing Apache2 since we need a web server on which to install the free Let’s Encrypt SSL certificate. There’s no point in having an SSL certificate without any webpages.

Execute the following command to install Apache2:

sudo apt install apache2

Once Apache2 is installed on your server, you will be able to use the commands below to start, stop, and enable the service. We recommend enabling it so that Apache can start up automatically whenever your server reboots.

sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service

To confirm that you have properly installed Apache2, you can open your preferred web browser and type your server IP address or your domain (we assume it is pointed to your server) and you should be able to view the Apache2 Ubuntu Default Page.

3. Configure the Apache Virtual Host

Since you now have Apache installed on your server, we can continue and show you how to create a virtual host for the domain that you want to use. We will use nano as our editor, but if you do not prefer nano, you can use any editor of your choice and create a new configuration file called domain.com.conf.

sudo nano /etc/apache2/sites-available/domain.com.conf

Then paste the configuration from below into the file, and replace all occurrences of domain.com with your actual domain name.

<VirtualHost *:80>

DocumentRoot /var/www/html/domain.com
ServerName domain.com
ServerAlias www.domain.com

<Directory /var/www/html/domain.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

After you have finished with editing the file, save and close it.

Once you have configured the virtual host, you can enable it by executing the following commands.

Disable the default preinstalled virtual host with:

sudo a2dissite 000-default

then, enable the domain.com virtual host:

sudo a2ensite domain.com.conf

also, you need to make sure that the mod rewrite is enabled:

sudo a2enmod rewrite

Restart Apache so the changes will take effect.

sudo systemctl restart apache2.service

4. Install Certbot

As mentioned earlier, we will be using Certbot so that we can get a free SSL certificate from Let’s Encrypt. To install this useful tool, we need to enable the universe repository:

sudo apt install software-properties-common
sudo add-repository universe
sudo apt update

Run this command on the command line on the machine to install Certbot.

sudo apt install certbot python3-certbot-apache

5. Generate a Free Let’s Encrypt SSL Certificate

There are many ways to obtain an SSL certificate with Certbot. We will use the Apache plugin, which will take care of reconfiguring Apache’s Virtual Host and will reload the new configuration for us. You can run the following command to use the plugin:

sudo certbot --apache

Using this script, you need to answer a series of questions and provide an email address. In the first step, you need to type a valid email address. The email address is required for notifications and security notices regarding your website’s certificate:

Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

The next step is to confirm that you agree to the Let’s Encrypt terms of service. If you want to confirm, just type A and then press [ENTER]:

Output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

If you want to share the provided email address with the EFF (Electronic Frontier Foundation) to receive news and other information, you can type Y. If you do not want to receive this type of email, you can type N and submit your answer by typing [ENTER].

Output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Now you need to select the domain you would like to activate HTTPS for. The domains and subdomains listed on your command prompt are automatically obtained from your Apache virtual host configuration. Type the numbers separated by commas and/or spaces, or if you’d like to enable HTTPS for all of the domains or subdomains, you can leave the prompt blank. Either way, you then press [ENTER] to proceed to the next step.

Output:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

The output will be similar to this:

Output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/domain.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/domain.com-le-ssl.conf

Certbot provides HTTPS redirection as an option that you can enable. In this step, the script will prompt you to select if you want the entire HTTP traffic to be redirected to HTTPS or to keep the current configuration. Select 1 if you do not want redirection or 2 to enable redirection, then press [ENTER].

Output:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Great job. Your SSL certificate is now installed and loaded in the Apache configuration. You will see output similar to the following:

Output:
Redirecting vhost in /etc/apache2/sites-enabled/domain.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-09-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

To verify that your new SSL certificate is set up correctly, visit https://domain.com/ in your web browser and check for the green lock icon in the URL bar. You can also use an external website or tools to check if your SSL certificate is installed properly.

6. Verifying Certbot Auto-Renewal

SSL certificates provided by Let’s Encrypt are valid only for 90 days. The Certbot we have installed will set a cronjob that will take care of renewing any SSL certificate that is within thirty days of expiration. To check the status of this service, you can execute the command:

sudo systemctl status certbot.timer
Output:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Thu 2021-06-11 11:33:00 UTC; 1h 37min ago
Trigger: Thu 2021-06-11 15:52:01 UTC; 2h 41min left
Triggers: ● certbot.service

or you can list all of the timers with:

sudo systemctl list-timers

You can test automatic renewal for your certificates by executing this command:

sudo certbot renew --dry-run

and the command to renew the SSL certificate can be found in one of the following locations:

/etc/crontab/
/etc/cron.*/*

Congratulations! You have successfully installed a free Let’s Encrypt SSL certificate for your domain.

In this article, we showed you how to install the Apache2 web server and Certbot, as well as how to create an Apache Virtual Host, and of course install an SSL certificate for your domain. Your website should now be secure and automatically renew to stay that way.


Of course, if you are one of our Managed Ubuntu Hosting customers, you don’t have to install a Let’s Encrypt SSL certificate for your domain on your own – simply ask our admins, sit back, and relax. Our admins will install a Let’s Encrypt SSL certificate on your Ubuntu 20.04 VPS for you immediately, along with many useful optimizations that we can do for you.

PS. If you liked this post about how to install Let’s Encrypt on Ubuntu 20.04 with Apache, please share it with your friends on the social networks using the share buttons below, or simply leave a comment in the comments section. Thanks.

Leave a Comment

To prove you are human please solve the following *