Let’s Encrypt provides free SSL/TLS certificates, making it a cost-effective solution for securing websites using Certbot to automate the process of renewing SSL certificates, reducing the administrative overhead and ensuring the certificates are always up to date.
prerequisites
For this exercise, I will be installing Certbot on Ubuntu v22.04 with Apache v2.4.52 on Amazon EC2. I will be creating DNS records on Route53. Be sure to have access to the following resources:
1. SSH Access: Ensure you have SSH access to the server where Certbot will be installed. This requires the server’s IP address, SSH port, and credentials (username and password or private key).
2. DNS Access: You need access to the DNS settings of your domain. This is typically managed through your domain registrar or DNS hosting provider. You will need to ensure that your domain (e.g., example.com) and any subdomains (e.g., www.example.com) point to your server’s IP address.
3. Apache Web Server: Ensure Apache is installed and running on your server. You can check this with:
sudo systemctl status apache2
Install Apache: If not already installed:
sudo apt update && \
sudo apt upgrade -y && \
sudo apt install -y apache2 && \
sudo systemctl start apache2 && \
sudo systemctl enable apache2
4. Allow HTTP and HTTPS Traffic: Configure your firewall to allow traffic on ports 80 (HTTP) and 443 (HTTPS). If using ufw, you can enable and view status with:
sudo ufw allow 'Apache Full' && sudo ufw enable && sudo ufw status
5. Store AWS Credentials: Credentials can be created in AWS IAM. Create a file called “config” in /root/.aws/ and add the following AWS keys:
[default]
aws_access_key_id=aws_access_key
aws_secret_access_key=your_aws_secret_access_key
Getting Started
Having all above requirements in place will ensure a smooth installation and configuration process for securing your domain with Let’s Encrypt Certbot on your Apache server. We’ll start off installing Certbot, then move to testing our Certbot SSL certificate renewal and finally configuring our vhosts.
I’ll be using the following documentation:
Certbot Installation: https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal&tab=wildcard
AWS Route 53 DNS configuration: https://certbot-dns-route53.readthedocs.io/en/stable/index.html
Other DNS hosting provider plugins can be found here: https://eff-certbot.readthedocs.io/en/latest/using.html#dns-plugins
1. Install snapd: We will be using the snap package for Ubuntu: https://snapcraft.io/docs/installing-snap-on-ubuntu
sudo apt update && sudo apt install snapd
2. Remove certbot-auto and any Certbot OS packages: If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but for Ubuntu, we will use the following:
sudo apt-get remove certbot
3. Install Certbot:
sudo snap install --classic certbot
4. Certbot Command Preparation: Execute the following instruction on the command line to ensure that Certbot command can run:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
5. Confirm Plugin Containment Level: Run this command to acknowledt that the installed plugin will have the same classic containment as the Certbot snap. If you encounter issues with running Certbot, you may need to follow this step, then “install the correct DNS plugin step” again.
sudo snap set certbot trust-plugin-with-root=ok
6. Install DNS plugin: Run the following command, replacing “route53” with the name of your DNS provider. For this example we’ll be using AWS route53:
sudo snap install certbot-dns-route53
7. Choose and Install Certificates: Run the following command to install Let’s Encrypt certificates. I will be using a wild card to acquire a certificate for both the domain and all subdomains:
certbot certonly \
--dns-route53 \
-d example.com \
-d *.example.com
8. Test Automatic Renewal: The Certbot package on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You’ll not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run
Adding Apache vhosts
Apache virtual hosts (vhosts) allow you to host multiple websites on a single server. Each virtual host can have its own domain name, configuration settings, document root, and security policies. This is particularly useful for shared hosting environments or when you need to serve different websites from the same server. Keep in mind that Let’s Encrypt requires individual host configuration files for each domain or sub domain. I will creating vhost configuration files for both example.com and www.example.com. If you haven’t already, let’s go ahead and add our vhost files in /etc/apache/sites-available/
STEP 1: example.com.conf: Adding vhost file for both ports 80 (HTTP) and 443 (HTTPS):
<ifModule mod_rewrite.c>
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
ServerAdmin email@domain.com
DocumentRoot /var/www/html
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
ServerAdmin email@domain.com
DocumentRoot /var/www/html
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
STEP 2: We need to add an SSL configuration includes file to: etc/letsencrypt/
# Baseline setting to Include for SSL sites
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
STEP 3: Enable the virtual hosts and restart Apache:
sudo a2ensite example.com.conf && sudo systemctl restart apache2
STEP 4: Verify the SSL Certificate is installed properly on the web server. I’m going to use SSL Checker. This will give me the status of the certificate and the expiration date. https://www.sslshopper.com/ssl-checker.html
Wrapping Up
Certbot is a powerful tool for managing SSL/TLS certificates on your web server. It simplifies the process of obtaining, renewing, and configuring certificates, making it easier to secure your website with HTTPS. By automating certificate management tasks, Certbot helps you ensure that your website remains secure and accessible to your users. Whether you’re a beginner or an experienced webmaster, Certbot can help you easily secure your website and protect your users’ data.
Certbot renews certificates every 60 days. For more information about how Certbot works and for community managed resources, check out the HELP page.
Need help with renewing your SSL certificates? We can help! Learn more about AIM IT Services – Contact us HERE