How to secure a website for free using Let's Encrypt, on apache


Step 1. Install certbot


If you get the following whilst running sudo apt-get install certbot:

Building dependency tree       
Reading state information... Done
E: Unable to locate package certbot

... Then you can use this guide to install certbot.

If it is already installed, then you can skip to step 2.

First, add the following repository:

sudo add-apt-repository ppa:certbot/certbot

You will need to hit [ENTER] to ensure this repo is added.

After, update your package list:

sudo apt-get update

Finally you can install certbot. Note it is called python-certbot-apache.

sudo apt-get install python-certbot-apache

You will have to hit Y to ensure this package is installed. Now certbot is ready to use!


Step 2: Configure the SSL certificate


Option 2.1 - easy (automatic)

With apache, you can try running the following command to setup the SSL certificate automatically. If you are using another server, or you would prefer to install it yourself, then follow option 2 below.

Be sure to replace example.com with your own domain!

sudo certbot --apache -d example.com

You can configure an SSL certificate for multiple domains using multiple -d flags - for example: -d www.example.com -d myawesomesubdomain.example.com

Option 2.2 - manual

Run the following command to generate a free SSL certificate. Be sure to replace /var/www/html with your website root directory, and example.com with your domain name.

sudo certbot certonly --webroot -w /var/www/html -d example.com

Multiple domains can be chained with multiple -d flags (as above).

After verification, you will have to add the SSL certificate to your apache config. Assuming your configuration is in /etc/apache/sites-enabled/000-default.conf:

<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
</VirtualHost>

Restart apache ...

sudo service apache2 restart

... and now your SSL certificate should now work!


Step 3 - ensure your SSL certificate renews:


You should setup a cron job to ensure your SSL certificate renews itself.

First, open the crontab file in edit mode:

sudo crontab -e

After, add the following:

30 2 * * * /usr/bin/certbot renew --quiet

This command (30 2 * * *) means "run what follows at 2:30am each day". The /usr/bin/certbot renew --quiet will renew your certificate if required.