How To Install a FREE SSL Certificate for Apache on Ubuntu 20.04

December 28, 2021

0 Shares

In this tutorial, we talked about how to use the Let’s Encrypt client certbot on Ubuntu 20.04 to obtain SSL certificates for your domains. Certbot is an command line utility for managing Let’s Encrypt SSL certificates on a Linux system. It allows you to request a new SSL certificate, do the authorization and configure your Apache web server for SSL settings. It also helps you to renew certificates issued by the Let’s Encrypt certificate authority.

Prerequisites

For getting started with the installation of Let’s Encrypt, there are some prerequisites that you should must-have.

You should have Apache installed.
Have an A record with your_domain pointing to your server’s public IP address.
Have an A record with www.your_domain pointing to your server’s public IP address.

If you have fulfilled the requirements for getting started with the installation of Let’s Encrypt, follow the simple step-by-step guide.

First, update the Ubuntu system’s cache repository by typing the command provided below:

sudo apt update && sudo apt upgrade -y

Upgrading Let’s Encrypt Certbot by going over to the Snap version

Weare going to upgrade to the newest version of Certbot bu doing the following. First, remove the old APT version of Certbot

sudo apt remove -y certbot python3-certbot-apache

Next, Install the Snap version of Certbot

sudo snap install --classic certbot

And finally, link in the Certbot binary so it can be run from anywhere

sudo ln -s /snap/bin/certbot /usr/bin/certbot

That’s it! Now Certbot on your system is the latest version and running through Snap. It will keep itself updated from now on.

If you encounter any issues with the above, try upgrading your system as a whole with the regular apt commands:

sudo apt update && sudo apt upgrade -y

To confirm and begin the installation, type Y and press the Enter key.

Get the Let’s Encrypt SSL certificate

To enable OCSP stapling, simply add --staple-ocsp flag when issuing certbot command. To get the SSL certificate using the Certbot, type the command given below:

sudo certbot --apache --staple-ocsp --key-type ecdsa --preferred-chain "ISRG Root X1"

First, provide the email address:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):info@your_domain

Next, Agree to the Terms of Service by typing A and pressing Enter:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A

Later, it will ask for sharing your email address with the EFF(Electronic Frontier Foundation), so type Y if you want to share or N if you do not want to share your email address:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N

You will get the following prompt if you need both www and non-www, best practice you should allow both by typing 1,2 and pressing Enter:

Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: your_domain 2: www.your_domain - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2

Best practice you should redirect HTTP traffic to HTTPS, and removing HTTP access by typing 2 and pressing Enter:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

After answering all the questions, the installation will start, and you will have the new SSL certificate.