In this blog, you will use Certbot to access SSL certificate for Apache on Ubuntu 18.04 and made your certificate renew automatically.
This blog will use an Apache virtual host file instead of the default configuration file.
We recommend building Apache virtual host files for each domain because it helps to deny regular mistakes and maintains the default files as a fallback configuration.
What are the prerequisites needed?
To follow this blog, you will need:
- One Ubuntu 18.04 server was set up by supporting this initial server setup for Ubuntu 18.04 tutorial, adding a sudo non-root user and a firewall.
- A fully designated domain name. This tutorial will use your_domain as an illustration throughout. You can acquire a domain name on Namecheap, get one for easy on Freenom, or use the domain registrar of your choice.
- Both of the resulting DNS records are set up for your server.
A record with your_domain aiming to your server’s IP address.
A record with www.your_domain aiming to your server’s IP address.
What are the steps to secure apache?
- Step 1 — Installing Certbot
The first step to using Let’s Encrypt to acquire an SSL certificate is to establish the
Certbot software on the server.
Certbot is in very rapid growth, so the Certbot packages produced by Ubuntu manage to be outdated. However, the Certbot developers keep a Ubuntu software container with
up-to-date versions, so use that repository instead.
First, include the repository:
sudo add-apt-repository ppa:certbot/certbot
You’ll be required to choose ENTER to accept.
Enable Certbot’s Apache package with apt:
sudo apt install python-certbot-apache
Certbot is now ready to begin, but in order for it to configure SSL for Apache, we need to check
some of Apache’s configuration.
Step 2 — Set Up the SSL Certificate:
Certbot requires to be capable to identify the virtual host in your Apache configuration for it to default configure SSL. Especially, it does this for a ServerName directive that
matches the domain.
You should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.com.conf
with the ServerName
directive already set appropriately.
Start the virtual host file for your domain using directive already set appropriately.
Start the virtual host file for your domain using
Identify the ServerName line. It should display like this:
/etc/apache2/sites-available/your_domain.conf
...
ServerName your_domain;
...
If it does, exit from the editor and follow the next step.
verify the command of your configuration edits:
sudo apache2ctl configtest
If you get a mistake, again open the virtual host file and check for any typos Once your
configuration file’s command is correct, reload Apache at the new configuration:
sudo systemctl reload apache2
Certbot can now identify the suitable VirtualHost block and update it.
Next, update the firewall to enable HTTPS traffic.
Step 3 — Enabling HTTPS Through the Firewall
If you have the ufw firewall access, you’ll need to adjust the settings to enable HTTPS traffic.
Apache registers numerous profiles with ufw upon installation.
You can see the current setting by entering:
sudo ufw status
It will look like this, meaning that only HTTP traffic is accessed to the webserver:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
To let in HTTPS traffic, access the Apache Full profile and delete the redundant Apache profile allowance:
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'
Your syntax should now look like this:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Next, let’s execute Certbot and fetch our certificates.
Step 4 — Obtaining an SSL Certificate
Certbot gives multiple ways to access SSL certificates through plugins.
The Apache plugin will reconfigure Apache and reload
the config whenever necessary. enter the following:
sudo certbot --apache -d your_domain -d www.your_domain
This executes certbot with the --apache plugin, using -d to make the names you’d like the certificate to be valid for.
while executing certbot, you will be prompted to type an email address and agree to the terms of service. If that’s correct, certbot will ask how you’d like to configure your HTTPS settings:
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the correct number [1-2] then [enter] (press 'c' to cancel):
Select your option then hit ENTER. The configuration will be renewed, and Apache will reload to pick up the new settings. certbot will wrap up with a note telling you the method was corrected and where your certificates are kept:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificates are enabled, installed, and loaded. Try reloading your website using https:// and notice your browser’s safety indicator. It should indicate that
The site is properly safer, usually with a green lock icon.
Step 5 — Verifying Certbot Auto-Renewal
The certbot package we enabled takes care of renewals by adding a renew script to /etc/cron.d, which is directed by a systemctl service called certbot.timer
To check the status of this service and make sure it’s active and executing, you can use:
sudo systemctl status certbot.timer
You’ll get output like to this:
Output
certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Tue 2020-04-28 17:57:48 UTC; 17h ago
Trigger: Wed 2020-04-29 23:50:31 UTC; 12h left
Triggers: certbot.service
Apr 28 17:57:48 fine-turtle systemd[1]: Started Run certbot twice daily.
you can do a dry execute with certbot:
sudo certbot renew --dry-run
Conclusion
In this blog, you enabled the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Apache to use these certificates and set up
automatic certificate renewal.
If you have any doubts about how to secure Apache, Don’t hesitate to contact us through the below email. Airzero Cloud will be your digital partner. Email: [email protected]
Author - Johnson Augustine
Cloud Architect, Ethical hacker
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/