In this tutorial it is shown how to secure an Apache web server with Ubuntu 18.04 through the installation of a Secure Sockets Layer (SSL) certificate. Nowadays, enabling an encrypted connection to the web server is fundamental because it allows you to use the secure HTTPS protocol for your website.
To do so, Let’s Encrypt, a Certification Authority that issues a free certificate completely in line with the required security standards, will be used. Let’s Encrypt simplifies the process for installing the security certificate to help even the less experienced user secure a website through the use of the Certbot client.
First connect to your server via an SSH connection. If you haven’t done so yet, following our guide is recommendedto connect securely with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.
Add the Certbot repository.
$ sudo add-apt-repository ppa:certbot/certbot
At this point install Certbot using apt:
$ sudo apt install python-certbot-apache
After completing the installation you can proceed with the configuration of the firewall.
Configuration of the firewall
In case of a firewall on your system, set it to enable HTTP traffic and HTTPS traffic to your machine.
When using the UFW firewall, pre-installed profiles will be available for Apache. So let’s see how to enable them.
To check the available profiles installed on the UFW firewall, run this command:
$ sudo ufw app list
A list similar to the following will be shown on the screen:
Available applications: Apache Apache Full Apache Secure OpenSSH
To allow HTTP (Port 80) and HTTPS (Port 443) traffic, use the “Apache Full” profile.
Check your profile information as follows:
$ sudo ufw app info "Apache Full"
The description of the on-screen profile will appear:
Profile: Apache Full Title: Web Server (HTTP,HTTPS) Description: Apache v2 is the next generation of the omnipresent Apache web server. Ports: 80,443/tcp
After checking the profile, it can be enabled:
$ sudo ufw allow in "Apache Full"
Creating the SSL Certificate
At this point, ask for the certificate of the domain you want to protect using the previously installed Certbot.
Replace TUODOMINIO.IT with the domain name you want to protect:
$ sudo certbot --apache -d dvictor.net -d www.dvictor.net
N.B. the wording –apache specifies the Certbot to use the Apache plugin, while the wording – d indicates the domain names that the certificate will be used for.
At this point, specify your email address, accept the terms of service and indicate if you want to redirect the connections to your website towards an HTTPS connection.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - No further changes to the webserver configuration. 2: Redirect - To redirect all requests to secure HTTPS access. Choose this option fornew websites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): Congratulations! You have successfully enabled https://dvictor.net and https://www.dvictor.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=dvictor.net https://www.ssllabs.com/ssltest/analyze.html?d=www.dvictor.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/.dvictor.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/dvictor.net/privkey.pem Your cert will expire on 2023-01-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
N.B. If there is already a CMS or script on your site, following our guide is recommended to check if it is compatible with an HTTPS connection before redirecting traffic.
Enter the number corresponding to your choice and, if the procedure is successful. a confirmation message will be shown on the screen.
Verifying the renewal of the Certificate
Let’s Encrypt’s SSL certificates are valid for 90 days after which they have to be renewed. Certbot takes also care of the automatic renewal of the certificates but to ensure that the procedure functioning correctly,following our guide is recommended to manually try to renew the certificate in this way:
$ sudo certbot renew --dry-run
If no error is displayed, then the renewal was successful. Otherwise, an email will be sent to the address entered during the certificate creation, when its expiration is approaching.