Introduction
SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial will show you how to set up TLS/SSL certificates from Let’s Encrypt for securing multiple virtual hosts on Apache, within an Ubuntu 14.04 server.
We will also cover how to automate the certificate renewal process using a cron job.
Prerequisites
In order to complete this guide, you will need:
- An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
- A functional Apache web server installation hosting multiple virtual hosts
It is important that each virtual host is set up in its own separate configuration file, and can be accessed externally via browser. For a detailed guide on how to properly set up Apache virtual hosts on Ubuntu, follow this link.
For the purpose of this guide, we will install Let’s Encrypt certificates for the domains example.com
and test.com
. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.
When you are ready to move on, log into your server using your sudo account.
Step 1 — Download the Let’s Encrypt Client
First, we will download the certbot-auto
Let’s Encrypt client from the EFF download site. The client will automatically pull down available updates as necessary after installation.
We can download the certbot-auto
Let’s Encrypt client to the /usr/local/sbin
directory by typing:
- cd /usr/local/sbin
- sudo wget https://dl.eff.org/certbot-auto
You should now have a copy of certbot-auto
in the /usr/local/sbin
directory.
Make the script executable by typing:
- sudo chmod a+x /usr/local/sbin/certbot-auto
The certbot-auto
client should now be ready to use.
Step 2 — Set Up the Certificates
Generating an SSL Certificate for Apache using the certbot-auto
Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Although it is possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different, it is recommended that you create separate certificates for unique domain names. As a general rule of thumb, only subdomains of a particular domain should be bundled together.
Generating the first SSL certificate
We will start by setting up the SSL certificate for the first virtual host, example.com
.
We will execute the interactive installation and obtain a bundled certificate that is valid for a domain and a subdomain, namely example.com
as base domain and www.example.com
as subdomain. You can include any additional subdomains that are currently configured in your Apache setup as either virtual hosts or aliases.
Run the certbot-auto
command with:
- certbot-auto –apache -d example.com -d www.example.com
Notice that the first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases.
For this example, the base domain will be example.com
.
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http
and https
access or forcing all requests to redirect to https
.
When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live
. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
You should now be able to access your website using a https
prefix.
Generating the second SSL certificate
Generating certificates for your additional virtual hosts should follow the same process described in the previous step.
Repeat the certificate install command, now with the second virtual host you want to secure with Let’s Encrypt:
- certbot-auto –apache -d test.com -d www.test.com
For this example, the base domain will be test.com
.
Again, you can verify the status of your SSL certificate with the following link (don’t forget to replace test.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=test.com&latest
If you want to generate certificates for additional virtual hosts, simply repeat the process, and don’t forget to use the bare top-level domain as your base domain.
Step 3 — Set Up Auto-Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The certbot-auto
Let’s Encrypt client has a renew
command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
To trigger the renewal process for all installed domains, you should run:
- certbot-auto renew
Because we recently installed the certificates, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:
Checking for new version...
Requesting root privileges to run letsencrypt...
/home/sammy/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/example.com.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.
Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:
- sudo crontab -e
Include the following content, all in one line:
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
Save and exit. This will create a new cron job that will execute the certbot-auto renew
command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log
.