How To Secure Apache with Let’s Encrypt on Ubuntu 16.04
This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 16.04 server running Apache as a web server. We will also cover how to automate the certificate renewal process using a cron job.
SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
In order to complete this guide, you will need:
- An Ubuntu 16.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
- The Apache web server installed with one or more domain names properly configured through Virtual Hosts that specify
When you are ready to move on, log into your server using your sudo account.
Step 1 — Install the Let’s Encrypt Client
First, we will download the Let’s Encrypt client from the official repositories. Although the Let’s Encrypt project has renamed their client to
certbot, the client included in the Ubuntu 16.04 repositories is simply called
letsencrypt. This version is completely adequate for our purposes.
Update the server’s local
apt package indexes and install the client by typing:
- sudo apt-get update
- sudo apt-get install python-letsencrypt-apache
letsencrypt client should now be ready to use.
Step 2 — Set Up the SSL Certificate
Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the
letsencrypt command like so, where example.com is your domain:
- sudo letsencrypt –apache -d example.com
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:
- sudo letsencrypt –apache -d example.com -d www.example.com
For this example, the base domain will be
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both
https access or forcing all requests to redirect to
https. It is usually safest to require
https, unless you have a specific need for unencrypted
When the installation is finished, you should be able to find the generated certificate files at
/etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):
You should now be able to access your website using a
Step 3 — Set Up Auto Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let’s Encrypt client has a
renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
To trigger the renewal process for all installed domains, you should run:
- sudo letsencrypt renew
Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:
Processing /etc/letsencrypt/renewal/example.com.conf The following certs are not due for renewal yet: /etc/letsencrypt/live/example.com/fullchain.pem (skipped) No renewals were attempted.
Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.
Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:
- sudo crontab -e
You may be prompted to select an editor:
no crontab for root - using an empty one Select an editor. To change later, run 'select-editor'. 1. /bin/ed 2. /bin/nano <---- easiest 3. /usr/bin/vim.basic 4. /usr/bin/vim.tiny Choose 1-4 :
Unless you’re more comfortable with
vim, press Enter to use
nano, the default.
Include the following content at the end of the crontab, all in one line:
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
Save and exit. This will create a new cron job that will execute the
letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at
For more information on how to create and schedule cron jobs.