×

Secure Apache with Let’s Encrypt on Ubuntu 20.04

Secure Apache with Let’s Encrypt on Ubuntu 20.04

Let’s Encrypt is a certificate authority created by the Internet Security Research Group (ISRG). It offers free SSL certificates through a fully automated process designed to eliminate manual certificate, validation, installation and license renewal. Certificates issued by Let’s Encrypt are valid for 90 days from the date of issue and are trusted by all major browsers today.

prerequisites

Ensure the following prerequisites are met before proceeding:

  • You are logged in as root or a user with sudo privileges.
  • The domain you want to obtain an SSL license for must point to your public server IP . We will use example.com.
  • Apache is installed.

 

Install Certbot

We will use Certbot to obtain the certificate. It is a command line tool that handles the tasks related to obtaining and renewing Let’s Encrypt SSL certificates. The certbot package is included in the default Ubuntu repositories. Update the package list and install certbot using the following commands:

sudo apt update  sudo apt install certbot

 

Generate the Strong Dh (Diffie-Hellma) group

Diffie-Hellman (DH) key exchange is a method for securely exchanging cryptographic keys over an insecure communication channel. To enhance security, create a new set of 2048-bit DH parameters:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

You can change the size up to 4096 bits, but depending on the entropy of the system, it may take more than 30 minutes to generate.

Obtaining a Let’s Encrypt SSL license

To obtain an SSL certificate for the domain, we want to use the Webroot plugin, which creates a temporary file to verify the requested domain in the directory. ${webroot-path}/.well-known/acme-challenge

Let’s Encrypt server to validate the HTTP request to the temporary file to validate the requested domain to the server where Certbot is running.

Run the following instructions to create the directory and write it to the Apache server.

sudo mkdir -p /var/lib/letsencrypt/.well-knownsudo chgrp www-data /var/lib/letsencryptsudo chmod g+s /var/lib/letsencrypt

To avoid copying code and save more settings, create the following two configuration pieces:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"  <Directory "/var/lib/letsencrypt/">  AllowOverride None  Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec  Require method GET POST OPTIONS  </Directory>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 :ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Header always set Strict-Transport-Security "max-age=63072000"

 

The above snippet enables OCSP Stapling, HTTP Strict Transport Security (HSTS), and enforces several security-oriented HTTP headers using Mozilla-recommended chips.

Before enabling the configuration files, ensure that both mod_ssl and mod_headers are enabled by issuing:

sudo a2enmod ssl  sudo a2enmod headers

 

Next, enable the SSL configuration files by running the following commands:

sudo a2enconf letsencryptsudo a2enconf ssl-params

Enable the HTTP/2 module, which makes your sites faster and more powerful:

sudo a2enmod http2

Download the Apache configuration to apply the changes:

sudo systemctl reload apache2

Now we can run the Certbot tool with the webroot plugin and get the SSL certificate files:

sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

 

If the SSL certificate is successfully obtained, certbot prints the following message:

IMPORTANT NOTES:   - Congratulations! Your certificate and chain have been saved at:     /etc/letsencrypt/live/example.com/fullchain.pem     Your key file has been saved at:     /etc/letsencrypt/live/example.com/privkey.pem     Your cert will expire on 2020-10-06. To obtain a new or tweaked     version of this certificate in the future, simply run certbot     again. To non-interactively renew *all* of your certificates, run     "certbot renew"   - Your account credentials have been saved in your Certbot     configuration directory at /etc/letsencrypt. You should make a     secure backup of this folder now. This configuration directory will     also contain certificates and private keys obtained by Certbot so     making regular backups of this folder is ideal.   - If you like Certbot, please consider supporting our work by:       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate     Donating to EFF:                    https://eff.org/donate-le

Now that you have the certificate files, edit your domain virtual host configuration as follows:

<VirtualHost *:80>   ServerName mail.digital.mk
Redirect permanent / https://mail.digital.mk/  </VirtualHost>
<VirtualHost *:443>  ServerName mail.digital.mk

Protocols h2 http:/1.1

<If "%{HTTP_HOST} == 'www.mail.digital.mk'">  Redirect permanent / https://mail.digital.mk/  </If>

DocumentRoot /var/www/mail.digital.mk/public_html
ErrorLog ${APACHE_LOG_DIR}/mail.digital.mk-error.log
CustomLog ${APACHE_LOG_DIR}/mail.digital.mk-access.log combined

SSLEngine On  SSLCertificateFile /etc/letsencrypt/live/mail.digital.mk/fullchain.pem  SSLCertificateKeyFile /etc/letsencrypt/live/mail.digital.mk/privkey.pem
# Other Apache Configuration
</VirtualHost>

 

With the above configuration, we force HTTPS and redirect from www to non-www version. Adjust easily to adjust the settings to suit your needs.

To apply the changes, reload the Apache service:

sudo systemctl reload apache2

You can now open your website using https:// and you will notice a green lock icon.

If you test your domain using SSL Labs Server Test, you will get an A+ grade as shown below:

 

Allow encrypted certificates to be valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and automatically renews each certificate 30 days before they expire.

After renewing the certificate, we have to download the Apache service. Add the –ren-hook “systemctl reload apache2” attachment to the /etc/cron.d/certbot file so that it looks like this:

۰ */۱۲ * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

To test the renewal process, you can use the certbot –dry run switch

sudo certbot renew --dry-run

If there is no error, it means that the renewal process was successful.

support hosting100