Airzero Cloud

Next Generation Cloud !

In this blog, you will use Certbot to access SSL certificate for Apache on Ubuntu 18.04 and made your certificate renew automatically.

This blog will use an Apache virtual host file instead of the default configuration file.

We recommend building Apache virtual host files for each domain because it helps to deny regular mistakes and maintains the default files as a fallback configuration.

What are the prerequisites needed?

To follow this blog, you will need:

  • One Ubuntu 18.04 server was set up by supporting this initial server setup for Ubuntu 18.04 tutorial, adding a sudo non-root user and a firewall.
  • A fully designated domain name. This tutorial will use your_domain as an illustration throughout. You can acquire a domain name on Namecheap, get one for easy on Freenom, or use the domain registrar of your choice.
  • Both of the resulting DNS records are set up for your server.
    A record with your_domain aiming to your server’s IP address. A record with www.your_domain aiming to your server’s IP address.

What are the steps to secure apache?

  • Step 1 — Installing Certbot The first step to using Let’s Encrypt to acquire an SSL certificate is to establish the Certbot software on the server.

Certbot is in very rapid growth, so the Certbot packages produced by Ubuntu manage to be outdated. However, the Certbot developers keep a Ubuntu software container with up-to-date versions, so use that repository instead.

First, include the repository:

sudo add-apt-repository ppa:certbot/certbot

You’ll be required to choose ENTER to accept. Enable Certbot’s Apache package with apt:

sudo apt install python-certbot-apache

Certbot is now ready to begin, but in order for it to configure SSL for Apache, we need to check some of Apache’s configuration.

Step 2 — Set Up the SSL Certificate: Certbot requires to be capable to identify the virtual host in your Apache configuration for it to default configure SSL. Especially, it does this for a ServerName directive that matches the domain.

You should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.com.conf with the ServerNamedirective already set appropriately. Start the virtual host file for your domain using directive already set appropriately. Start the virtual host file for your domain using

Identify the ServerName line. It should display like this:

/etc/apache2/sites-available/your_domain.conf
...
ServerName your_domain;
...

If it does, exit from the editor and follow the next step. verify the command of your configuration edits:

sudo apache2ctl configtest

If you get a mistake, again open the virtual host file and check for any typos Once your configuration file’s command is correct, reload Apache at the new configuration:

sudo systemctl reload apache2

Certbot can now identify the suitable VirtualHost block and update it. Next, update the firewall to enable HTTPS traffic.

Step 3 — Enabling HTTPS Through the Firewall

If you have the ufw firewall access, you’ll need to adjust the settings to enable HTTPS traffic.

Apache registers numerous profiles with ufw upon installation. You can see the current setting by entering:

sudo ufw status

It will look like this, meaning that only HTTP traffic is accessed to the webserver:

Output
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Apache                     ALLOW       Anywhere  
OpenSSH (v6)               ALLOW       Anywhere (v6)
Apache (v6)                ALLOW       Anywhere (v6)

To let in HTTPS traffic, access the Apache Full profile and delete the redundant Apache profile allowance:

sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

Your syntax should now look like this:

sudo ufw status

Output Status: active

To Action From -- ------ ---- OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)

Next, let’s execute Certbot and fetch our certificates.

Step 4 — Obtaining an SSL Certificate Certbot gives multiple ways to access SSL certificates through plugins. The Apache plugin will reconfigure Apache and reload the config whenever necessary. enter the following:

sudo certbot --apache -d your_domain -d www.your_domain

This executes certbot with the --apache plugin, using -d to make the names you’d like the certificate to be valid for. while executing certbot, you will be prompted to type an email address and agree to the terms of service. If that’s correct, certbot will ask how you’d like to configure your HTTPS settings:

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.

-------------------------------------------------------------------------------
Select the correct number [1-2] then [enter] (press 'c' to cancel):

Select your option then hit ENTER. The configuration will be renewed, and Apache will reload to pick up the new settings. certbot will wrap up with a note telling you the method was corrected and where your certificates are kept:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

Your certificates are enabled, installed, and loaded. Try reloading your website using https:// and notice your browser’s safety indicator. It should indicate that

The site is properly safer, usually with a green lock icon. Step 5 — Verifying Certbot Auto-Renewal

The certbot package we enabled takes care of renewals by adding a renew script to /etc/cron.d, which is directed by a systemctl service called certbot.timer

To check the status of this service and make sure it’s active and executing, you can use:

sudo systemctl status certbot.timer

You’ll get output like to this:

Output
certbot.timer - Run certbot twice daily
 Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Tue 2020-04-28 17:57:48 UTC; 17h ago
Trigger: Wed 2020-04-29 23:50:31 UTC; 12h left

Triggers: certbot.service

Apr 28 17:57:48 fine-turtle systemd[1]: Started Run certbot twice daily.

you can do a dry execute with certbot:

sudo certbot renew --dry-run

Conclusion

In this blog, you enabled the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Apache to use these certificates and set up automatic certificate renewal.

If you have any doubts about how to secure Apache, Don’t hesitate to contact us through the below email. Airzero Cloud will be your digital partner. Email: [email protected]

enter image description here

Author - Johnson Augustine
Cloud Architect, Ethical hacker
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/