Securing Apache with free SSL certificates
This has got to be one of the very first things that I do on a fresh Apache servers is get a certificate installed. Before you get here, you’ll want to make sure that you have an Apache web server running on Ubuntu 16.04 (for the sake of this article anyways), your host names setup correctly and DNS configured properly to your webserver.
Certbot does a name lookup against your DNS to ensure that the domain is pointing to your web server and that you have a properly configured hostname on your server. Otherwise, this will fail.
First, let’s get the repository added. You may need to do a sudo apt-get update prior to copying / pasting these in your terminal.
sudo add-apt-repository ppa:certbot/certbot
Do another sudo apt-get update.
sudo apt-get update
Now get Certbot (LetsEncrypt) installed.
sudo apt-get install python-certbot-apache
Getting a new certificate:
sudo certbot --apache -d example.com
For multiple domains:
sudo certbot --apache -d example.com -d www.example.com
The certbot package we installed takes care of this for us by running certbot renew twice a day via a systemd timer. On non-systemd distributions this functionality is provided by a cron script placed in /etc/cron.d. The task runs twice daily and will renew any certificate that’s within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run
There is an update to this!
Certbot currently has a work around for the process below the following command. Run this next command instead after getting certbot installed.
See this link for further information: https://github.com/certbot/certbot/issues/5405
certbot --authenticator standalone --installer apache -d <yourdomain> --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"