How to configure SSL using LetsEncrypt and Certbot on Apache in Ubuntu 16.04

letsencrypt_apache_2018.md

How to setup Let's Encrypt for Apache on Ubuntu 16.04

In the following, we're setting up mydomain.com.

Challenges are served from /var/www/letsencrypt.

Apache snippets

First we create two snippets (to avoid duplicating code in every virtual host configuration).

Create a file /etc/apache2/snippets/letsencrypt.conf containing:

location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt;
}

Create a file /etc/apache2/snippets/ssl.conf containing:

SSLEngine 					on
SSLCertificateFile    		/etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile 		/etc/letsencrypt/live/mydomain.com/privkey.pem
SSLCertificateChainFile 	/etc/letsencrypt/live/mydomain.com/fullchain.pem

Header always 	set 	Strict-Transport-Security "max-age=15768000"
 
RequestHeader 	append 	"X-Forwarded-Proto" "https"
RequestHeader 	set 	"X-Forwarded-Ssl" "on"

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Create the folder for the challenges:

sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Apache virtual hosts (HTTP-only)

We don't have a certificate yet at this point, so the domain will be served only as HTTP.

Create a file /etc/apache2/sites-available/mydomain.conf containing:

<VirtualHost *:80>
        ServerName mydomain.com
        <fill in the rest here>
        
        Include /etc/apache2/snippets/letsencrypt.conf
        
</VirtualHost>

<VirtualHost *:443>
        ServerName mydomain.com
        <fill in the rest here>
        
</VirtualHost>

Enable the site:

rm /etc/apache2/sites-enabled/default # I bet this was done already
ln -s /etc/apache2/sites-available/mydomain.conf /etc/apache2/sites-enabled/mydomain.conf

And reload Apache:

sudo apachectl -k graceful

---

Certbot

Install the package:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Note: there is also a letsencrypt package in APT, but it's a much older version of the client.

---

Get the certificate

Request the certificate (don't forget to replace with your own email address):

certbot certonly --webroot --agree-tos --no-eff-email --email [email protected] --config-dir /etc/letsencrypt --logs-dir /var/log/letsencrypt -w /var/www/letsencrypt -d www.domain.com -d domain.com

It will save the files in /etc/letsencrypt/live/www.mydomain.com/.

Note: The flag --no-eff-email opts out of signing up for the EFF mailing list, remove the flag if you'd like to signup.

---

Apache virtual hosts (HTTPS-only)

Now that you have a certificate for the domain, switch to HTTPS by editing the file /etc/apache2/sites-available/mydomain.conf and replacing contents with:

<VirtualHost *:80>
        ServerName mydomain.com
        <fill in the rest here>
        
        Include /etc/apache2/snippets/letsencrypt.conf
        
        Redirect permanent / https://mydomain.com/
</VirtualHost>

<VirtualHost *:443>
        ServerName mydomain.com
        <fill in the rest here>
        
        Include /etc/apache2/snippets/ssl.conf
</VirtualHost>

Then reload Apache:

sudo apachectl -k graceful

---

Automatic renewal using Cron

According to EFF:

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.

Hence, you don't need to worry about creating a cronjob for renewal.

Nevertheless, you can test the renewal by running:

certbot renew --dry-run

---

Conclusion

Congratulations, you should now be able to see your website at https://www.mydomain.com

You can now also test that your domain has A+ SLL rating:

• https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
• https://www.ssllabs.com/ssltest/analyze.html?d=www.mydomain.com

I would also recommend setting up content-specific features like Content Security Policy and Subresource Integrity:

• Mozilla Observatory: submit a domain to get content-specific advices
• Mozilla Security Guidelines

If Let's Encrypt is useful to you, consider donating to Let's Encrypt or donating to the EFF.

Thanks to cecilemuller for her nginx intro.

Your /etc/apache2/snippets/letsencrypt.conf is for nginx, not Apache.

Like mike503 said... look under "Apache Snippets". The first codeblock is for nginx... Please correct it.

#solution:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>

Doesn't work, predictably.

First off, SSLStaplingCache isn't a VirtualHost option so it has nothing to do in a snippet injected inside a VirtualHost.

Second, if you only include the snippet inside the *:80 VirtualHost, then when accessing the site through *:443 directly, SSL will not be enabled...

Honestly, this snippet is doing more harm than good.