Introduction
SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial will show you how to set up TLS/SSL certificates from Let’s Encrypt for securing multiple virtual hosts on Apache, within an Ubuntu 14.04 server.
We will also cover how to automate the certificate renewal process using a cron job.
##Prerequisites
In order to complete this guide, you will need:
An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
A functional Apache web server installation hosting multiple virtual hosts
It is important that each virtual host is set up in its own separate configuration file, and can be accessed externally via browser. For a detailed guide on how to properly set up Apache virtual hosts on Ubuntu, follow this link.
For the purpose of this guide, we will install Let’s Encrypt certificates for the domains example.com
and test.com
. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.
When you are ready to move on, log into your server using your sudo account.
##Step 1 — Download the Let’s Encrypt Client
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the certbot
software on your server. The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it’s worth using this repository to install a newer Certbot than provided by Ubuntu.
First, add the repository:
sudo add-apt-repository ppa:certbot/certbot
You’ll need to press ENTER
to accept. Afterwards, update the package list to pick up the new repository’s package information:
sudo apt-get update
And finally, install Certbot from the new repository with apt-get
:
sudo apt-get install python-certbot-apache
The certbot
Let’s Encrypt client is now ready to use.
##Step 2 — Set Up the Certificates
Generating an SSL Certificate for Apache using the certbot
Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Although it is possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different, it is recommended that you create separate certificates for unique domain names. As a general rule of thumb, only subdomains of a particular domain should be bundled together.
###Generating the first SSL certificate
We will start by setting up the SSL certificate for the first virtual host, example.com
.
We will execute the interactive installation and obtain a bundled certificate that is valid for a domain and a subdomain, namely example.com
as base domain and www.example.com
as subdomain. You can include any additional subdomains that are currently configured in your Apache setup as either virtual hosts or aliases.
Run the certbot
command with:
sudo certbot --apache -d example.com -d www.example.com
Notice that the first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases.
For this example, the base domain will be example.com
.
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http
and https
access or forcing all requests to redirect to https
.
When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live
. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
You should now be able to access your website using a https
prefix.
Generating the second SSL certificate
Generating certificates for your additional virtual hosts should follow the same process described in the previous step.
Repeat the certificate install command, now with the second virtual host you want to secure with Let’s Encrypt:
sudo certbot --apache -d test.com -d www.test.com
For this example, the base domain will be test.com
.
Again, you can verify the status of your SSL certificate with the following link (don’t forget to replace test.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=test.com&latest
If you want to generate certificates for additional virtual hosts, simply repeat the process, and don’t forget to use the bare top-level domain as your base domain.
##Step 3 — Set Up Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We’ll need to set up a regularly run command to check for expiring certificates and renew them automatically.
To run the renewal check daily, we will use cron
, a standard system service for running periodic jobs. We tell cron
what to do by opening and editing a file called a crontab
.
sudo crontab -e
Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following line at the end of the file, then save and close it:
crontab
. . .
15 3 * * * /usr/bin/certbot renew --quiet
The 15 3 * * *
part of this line means “run the following command at 3:15 am, every day”. You may choose any time.
The renew
command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet
tells Certbot not to output information nor wait for user input.
cron
will now run this command daily. Because we installed our certificates using the --apache
plugin, Apache will also be reloaded to ensure the new certificates are used.
For more information on how to create and schedule cron jobs, you can check our How to Use Cron to Automate Tasks in a VPS guide.
##Conclusion
In this guide, we saw how to install free SSL certificates from Let’s Encrypt in order to secure multiple virtual hosts on Apache. We recommend that you check the official Let’s Encrypt blog for important updates from time to time.