SSL/TLS certificates are used to encrypt the incoming and outgoing data from server to client and vice versa. SSL works on public key authentication mechanism. Whenever a client is sending any information to server, if their is SSL working then the browser will encrypt the data using the public key provided by server and then it will send the data to server. Once the data is received at server, it decrypts it with the private key which resides on the server. The advantage here is that if an attacker is intercepting the data, he will not be able to decrypt and understand the data without private key.
Installing the SSL/TLS certificate on a Linux server is a complex job, but EFF developed Certbot, a tool which automates the process of installing and configuring SSL on Apache webserver makes it easier. Certbot is client for Let's Encrypt project, and was previously known as
letsencrypt. Using Certbot we can automatically install SSL's on Apache web server for free as it is an open source project.
In this tutorial we will learn how to secure our website running on Apache with an SSL/TLS certificate from Let's Encrypt using Certbot in Ubuntu 14.04 and Ubuntu 16.04 server. We will also learn to automate the renewal of certificates using Cron Jobs.
You will need a VPS or Cloud Server with any machine running on either Ubuntu 14.04 or Ubuntu 16.04. You will need an
A record pointed towards the IP address of your server. Because when we will be installing the SSL certificate installer will automatically check if domain is pointed towards server or not. You can easily point your domain to the IP address using
A record through DNS management by logging into the domain control panel of your domain.
In this tutorial we will consider that you are logged in to your server using non root account. If you are logged in using root account, simply omit using
sudo command before the commands we will be using.
Additionally you will need an Apache web server installed on your machine. If you do not have Apache installed in your machine, you can do it by running the following command.
sudo apt-get install apache2
This command will install the Apache web server in your machine. If you now access your website using your server IP or domain, you should see Apache default page. For more information on installing Apache or LAMP stack, you may read How to Install LAMP with phpMyAdmin on Ubuntu.
Install Certbot SSL on Ubuntu 14.04
Certbot is not prepacked on this version of ubuntu so you will have to download it from it's website. You can either download the installer script from Certbot's official website or you can clone the files from github. If you want to download the script from Certbot's website then run the following command.
It's a small script hence will not take more then seconds to download. Now you will have to give the script privileges to execute. Run the following command
chmod a+x certbot-auto
Now you can run the installer script by executing following command.
An alternative method to download the installer script from official repository of Certbot, using git. Download git using the following command.
sudo apt-get -y install git
Once git is installed, run the following command to clone the repository.
git clone https://github.com/certbot/certbot
Now run the following command to change the directory.
From here, you can also run the same command to run the installer, which is -
If you run the above command then the installer script will guide you through the installation interactively. If you run the installer script without any arguments then the script will download all the dependencies it needs to install the SSL certificate. It will ask you if you want to continue with installation, before downloading and installing dependencies, enter
y and continue with the installation.
Once all the dependencies have been installed, it will check your configuration files to find the domains, if there is none, then it will ask you to enter your domain names. You can enter more the one domain, separated by comma or space. Make sure that the domains you are entering are created in Virtual Hosts configuration files.
Press the OK button to proceed. Now it will ask you to enter your email, this email will be used for urgent notices and lost key recovery.
Press the OK button again and you will be asked to accept the terms and conditions. Click on the Agree button to proceed further. Next you will be asked whether HTTPS is required or optional. If you choose easy then your website can be browsed using HTTP and HTTPS both. If you choose secure, then if somebody tries to browse your website with HTTP connection, he will be automatically redirected to secure connection or HTTPS. Choose accordingly.
Now you will be shown an message that you have successfully enabled SSL on the domains you have entered.
Some important information will be shown to you in which you will be told about the expiry of the certificate, which is 90 days from the date of installation. You may now navigate to the directory
/etc/letsencrypt/live to check the keys associated with your domain. It is strongly advised that you take regular backup of the directory
/etc/letsencrypt because this directory contains all of your account credentials.
Finally you can verify the installation of SSL by going to -
If you see a green padlock at the corner of the domain, your website is now secured.
Alternatively you can go to -
It will tell you all the information and grade of your SSL certificate.
If you'd like you can give additional arguments while installing the cert. Use
-d followed by the domain name if you want to install the certificate for more domains or subdomains. For example if you want to install the certificate for
mydomain.com as well as
hello.mydomain.com, use the following command.
./certbot-auto -d mydomain.com -d www.mydomain.com -d hello.mydomain.com
Now the installer will install the certificate for all these domains. You can also specify your email using
If you want to obtain only the certificates from Let's encrypt, you can do so by running the following command instead of the above.
./certbot-auto --apache certonly
Now the script will only obtain the certificates, installer will not do any modifications in your Apache configuration files. You can manually install the certificates later on.
Let's Encrypt CA issues the certificate for a very short period which is 90 days, so it is important that we renew the certificate once every three months. To renew the certificate run the following command.
This command will check for the certificates which are going to expire within 30 days, and it will automatically renew them. But we can simplify the process of automatic renewal using cron. Cron jobs are used for scheduling tasks in linux. Before using a cron job, we must move the installation script to some place safer than the current directory.
Move the installer script to
/etc directory using the following command.
sudo mv certbot-auto /etc
Now edit crontab file using the command -
sudo crontab -e
Now open the crontab file in text editor, enter the following line at the end of the file.
* 1 * * 1 /etc/certbot-auto renew --quiet *
Write the file once done. The above command will run the installer script to renew the certificate at 1 AM, every Monday. If the script finds any certificate which is to be renewed within 30 days, installer will automatically renew them. We have used
--quiet argument so that installer will work in background and will not produce any error or warning.
Install Certbot SSL on Ubuntu 16.04
In Ubuntu 16.04 Certbot package is prepacked. To install Certbot SSL from official repository of Ubuntu 16.04, you can simply run this command to install the dependencies.
sudo apt-get install python-letsencrypt-apache
Once you run this command, it will ask you to confirm installing packages, press
y to proceed through the installation. It will now automatically install all the required packages.
Now run the following command to start the installation of Certbot or Let's Encrypt SSL.
This command will start the installation and it is same as we installed in ubuntu 14.04. We can also specify the arguments with the above command. For example
If you want to obtain only the certificates from Let's Encrypt, you can do so by running the following command instead of the above.
sudo letsencrypt --apache certonly
Now the script will only obtain the certificates, installer will not do any modifications to your configuration files. You manually install the certificates later.
In Ubuntu 16.04 you can renew the certificate using the following command.
This command will simply check for all the certificates which are expiring in a month, and it automatically renews them. To automate this task using cron scheduler, you can edit the crontab file using the following command.
sudo crontab -e
Now at the end of the file append this line.
* 1 * * 1 letsencrypt renew --quiet *
Write the file once done. The above command will run the installer script every monday at 1 AM. If the script finds any certificate which is scheduled to be renewed, the script renews the certificates.
--quiet argument enable the command to run the task in background without producing any error.
We have successfully installed SSL/TLS certificate provided by Let's Encrypt Certificate Authority on both Ubuntu 14.04 and Ubuntu 16.04. We also learned to automate the renewal process using Cron Jobs. Using SSL/TLS certificate we can secure our incoming and outgoing data.