Introduction

This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 14.04 server running Apache as a web server. We will also cover how to automate the certificate renewal process using a cron job.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

Prerequisites

In order to complete this guide, you will need:

When you are ready to move on, log into your server using your sudo account.

Step 1 — Install the Server Dependencies

The first thing we need to do is to update the package manager cache with:



  • sudo apt-get update

We will need git in order to download the Let’s Encrypt client. To install git, run:



  • sudo apt-get install git

Step 2 — Download the Let’s Encrypt Client

Next, we will download the Let’s Encrypt client from its official repository, placing its files in a special location on the server. We will do this to facilitate the process of updating the repository files when a new release is available. Because the Let’s Encrypt client is still in beta, frequent updates might be necessary to correct bugs and implement new functionality.

We will clone the Let’s Encrypt repository under /opt, which is a standard directory for placing third-party software on Unix systems:



  • sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

This will create a local copy of the official Let’s Encrypt repository under /opt/letsencrypt.

Step 3 — Set Up the SSL Certificate

Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

Access the letsencrypt directory:



  • cd /opt/letsencrypt

To execute the interactive installation and obtain a certificate that covers only a single domain, run theletsencrypt-auto command with:



  • ./letsencrypt-auto --apache -d example.com

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be thebase domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:



  • ./letsencrypt-auto --apache -d example.com -d www.example.com

For this example, the base domain will be example.com.

Don't forget to allow 443 port on your firewall.

After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or force all requests to redirect to https.

When the installation is finished, you should be able to find the generated certificate files at/etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

You should now be able to access your website using a https prefix.

Step 4 — Set Up Auto Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

To trigger the renewal process for all installed domains, you should run:

./letsencrypt-auto renew

Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:

Checking for new version...

Requesting root privileges to run letsencrypt...

   /root/.local/share/letsencrypt/bin/letsencrypt renew

Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:

  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)

No renewals were attempted.

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:



  • sudo crontab -e

Include the following content, all in one line:



crontab


30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at/var/log/le-renewal.log.

For more information on how to create and schedule cron jobs, you can check our How to Use Cron to Automate Tasks in a VPS guide.

Step 5 — Updating the Let’s Encrypt Client (optional)

Whenever new updates are available for the client, you can update your local copy by running a git pullfrom inside the Let’s Encrypt directory:



  • cd /opt/letsencrypt
    • 

  • sudo git pull

This will download all recent changes to the repository, updating your client.

Conclusion

In this guide, we saw how to install a free SSL certificate from Let’s Encrypt in order to secure a website hosted with Apache. Because the Let’s Encrypt client is still in beta, we recommend that you check the official Let’s Encrypt blog for important updates from time to time.

How To Secure Apache with Let's Encrypt on Ubuntu (Free SSL)的更多相关文章

  1. How To Secure Nginx with Let's Encrypt on Ubuntu 14.04

    https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14 ...

  2. 使用Let’s Encrypt生成免费的SSL证书

    SSL(安全套接层,Secure Sockets Layer),及其继任者 TLS (传输层安全,Transport Layer Security)是为网络通信提供安全及数据完整性的一种安全协议.TL ...

  3. 使用Let’s Encrypt创建nginx免费SSL证书

    资料参考: https://www.freehao123.com/top-8-free-ssl-cert/   八大免费SSL证书-给你的网站免费添加Https安全加密 https://www.fre ...

  4. 使用Let's Encrypt 生成免费的ssl证书的详细过程

    参考连接:https://github.com/diafygi/acme-tiny 中文:https://hacpai.com/article/1487899289204 目前我了解可以生成免费证书的 ...

  5. Establish the LAMP (Linux+Apache+MySQL+PHP) Development Environment on Ubuntu 14.04 Operating System

    ######################################################## Step One: Update the software package in yo ...

  6. 使用Let's Encrypt为网站加入SSL证书

    一直没有为网站配置过HTTPS,因为怕麻烦.不过这次工作要求,没有办法,只能硬着头皮上了. 老板提供了一个关键字,Let's Encrypt.其实最早看到这句话,我以为是一个动词,让我行动的意思.但是 ...

  7. Apache环境下配置多个站点的SSL证书

    重新创建apache目录中conf/extra/下的httpd-ssl.conf文件 NameVirtualHost *:443 Listen 443 <VirtualHost *:443> ...

  8. Django + Apache + wsgi配置和环境搭建(ubuntu)

    上一篇写了Django + nginx + uwsgi配置和环境搭建(ubuntu) 由于公司服务器环境问题,又配置了apache的环境.记录例如以下: 一. 安装环境: #apache sudo a ...

  9. Apache Doris ODBC Mysql外表在Ubuntu下使用方法及配置

    Apache Doris 社区 2022 年的总体规划,包括待开展或已开展.以及已完成但需要持续优化的功能.文档.社区建设等多方面,我们期待有更多的小伙伴参与进来讨论.同时也希望多多关注Doris,给 ...

随机推荐

  1. order by中用子查询排序

    今天有个需求是对一个列表排序,但是排序字段是在另一个表中,不想用关联查询,就想能否直接在order by中用子查询,后来找到一个还挺好使.记录如下. 排序语句如下: select * from mai ...

  2. 认识CSS中标题引入icon图标

    前端之HTML,CSS(十一) icon图标 icon图标的使用 获取网站的中标题icon图标,以京东为例:在域名后添加/favicon.ico Enter打开 鼠标右键,图标另存为下载icon图标, ...

  3. (转)CentOS7安装KVM虚拟机详解

    原文:https://github.com/jaywcjlove/handbook/blob/master/CentOS/CentOS7%E5%AE%89%E8%A3%85KVM%E8%99%9A%E ...

  4. 【CSS3】background-origin和background-clip的区别

    background-clip 与 background-origin是css3中引入的两个跟元素背景相关的属性,它们有相同的可选值,即border.padding.content三种,而且这两个属性 ...

  5. 控制反转(IOC) 和依赖注入(DI) 的理解

    1.      IOC(控制反转) inverseof control是spring容器的内核,AOP.声明事务等功能在此基础上开花结果. 2.      通过实例理解IOC概念: 实例:<墨攻 ...

  6. ubuntu编译安装protobuf

    测试环境:Ubuntu 16.04 LTS 到protobuf的release页面 下载源码:https://github.com/protocolbuffers/protobuf/releases/ ...

  7. Types方法之isSameType-isSuperType-isSubType

    4.isSameType() 方法 /** * Is t the same type as s? */ public boolean isSameType(Type t, Type s) { retu ...

  8. PHP之string之str_shuffle()函数使用

    str_shuffle (PHP 4 >= 4.3.0, PHP 5, PHP 7) str_shuffle - Randomly shuffles a string str_shuffle - ...

  9. 【c++】友元

    c++引入友元的原因 在某些情况下,允许特定的非成员函数访问类的私有成员.在类中以关键字friend开始(只能出现在类定义的内部),声明为友元的可以为类.类的成员函数.普通的非成员函数. 速览 #in ...

  10. Abschlussarbeit:Konstruktion und Implementierung von Dota2 Datenbank Intelligent Verwaltungsplatfom

    1.Die Hintergrund und Bedeutung des Themas Dank nicht ausreichendes Erkenntnisse der Spielplanner un ...