Installing SSL certificates on your server can be a complex and time-consuming task. Let’s Encrypt simplifies this process and allows you to set up a free SSL certificate on your Web site in just a few minutes.
Install Let’s Encrypt
The Let’s Encrypt library is installed through git, which means that you will need to install git on your server first. If you don’t have it already, run the following command:
sudo apt-get updatesudo apt-get install git
After that, install Let’s Encrypt by cloning its repository:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
This will copy the repository in /opt/letsencrypt/ directory. Although it can be copied to any place in the filesystem, it is a good practice to store it in /opt folder, because that folder is usually used for third-party software in Ubuntu.
Install the SSL Certificate
To set up an SSL certificate, navigate to the directory where Let’s Encrypt is located and run the installer:
./letsencrypt-auto --apache -d mydomain.com
For multiple domains or subdomains, do the following:
./letsencrypt-auto --apache -d mydomain.com -d www.mydomain.com
And that’s it. Let’s Encrypt will guide you through the installation process, generate the SSL files and configure the Apache Web server.
Auto-renew the Certificates
Letsencrypt SSL certificates are valid for 3 months only (90 days). After that time, they will expire and will have to be renewed. Fortunately, there is also a command that solves that problem — it will check all certificates that are installed on the system and renew the ones that will expire in less than 30 days. The renew command is the following:
/letsencrypt-auto renew
It is a good practice to configure a cron job and run the renewal command in specific time intervals. For example, to run the renewal command every Monday at 2 a.m., edit the cron tab:
sudo crontab -e
And add the following line:
0 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
What’s Happening Under the Hood
Let’s Encrypt executes a number of commands without you even noticing. If you would be doing the entire process manually, here is how. First, activate the Apache SSL module and restart the server:
sudo a2enmod sslsudo service apache2 restart
Create a directory where you would store the SSL certificate files:
sudo mkdir /etc/apache2/ssl
Then, generate the key and the certificate with OpenSSL:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/mydomain.key -out /etc/apache2/ssl/mydomain.crt
After running this command, it will ask you a number of questions. Although most of them are self-explanatory, pay attention to the Common Name (e.g. server FQDN or YOUR name), where you would enter your domain name (e.g. mydomain.com) or the server’s IP address (if you don’t have a domain name).
After generating the files, you need to configure the Apache to use the SSL certificates. Create a new configuration file:
sudo nano /etc/apache2/sites-available/mydomain-ssl.conf
And paste this code:
ServerAdmin [email protected] ServerName mydomain.com ServerAlias www.mydomain.com # Path in the filesystem where the website is located DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on # Location where certificate .key and .crt files are stored SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Activate the configuration and restart Apache:
sudo a2ensite mydomain-ssl.confsudo service apache2 restart
That’s it, you are ready to go.