How to Secure Your Apache Server with ‘Let’s Encrypt’ Certificate on Ubuntu 18.04

In this tutorial it is shown how to secure an Apache web server with Ubuntu 18.04 through the installation of a Secure Sockets Layer (SSL) certificate. Nowadays, enabling an encrypted connection to the web server is fundamental because it allows you to use the secure HTTPS protocol for your website.

To do so, Let’s Encrypt, a Certification Authority that issues a free certificate completely in line with the required security standards, will be used. Let’s Encrypt simplifies the process for installing the security certificate to help even the less experienced user secure a website through the use of the Certbot client.

First connect to your server via an SSH connection. If you haven’t done so yet, following our guide is recommendedto connect securely with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.

Installing CertBot

Add the Certbot repository.

$ sudo add-apt-repository ppa:certbot/certbot

At this point install Certbot using apt:

$ sudo apt install python-certbot-apache

After completing the installation you can proceed with the configuration of the firewall.

Configuration of the firewall

In case of a firewall on your system, set it to enable HTTP traffic and HTTPS traffic to your machine.

When using the UFW firewall, pre-installed profiles will be available for Apache. So let’s see how to enable them.

To check the available profiles installed on the UFW firewall, run this command:

$ sudo ufw app list

A list similar to the following will be shown on the screen:

Available applications:


  Apache Full

  Apache Secure


To allow HTTP (Port 80) and HTTPS (Port 443) traffic, use the “Apache Full” profile. 

Check your profile information as follows:

$ sudo ufw app info "Apache Full"

The description of the on-screen profile will appear:

Profile: Apache Full

Title: Web Server (HTTP,HTTPS)

Description: Apache v2 is the next generation of the omnipresent Apache web



After checking the profile, it can be enabled:

$ sudo ufw allow in "Apache Full"

Creating the SSL Certificate

At this point, ask for the certificate of the domain you want to protect using the previously installed Certbot.

Replace TUODOMINIO.IT with the domain name you want to protect:

$ sudo certbot --apache -d -d

N.B. the wording –apache specifies the Certbot to use the Apache plugin, while the wording – d indicates the domain names that the certificate will be used for.

At this point, specify your email address, accept the terms of service and indicate if you want to redirect the connections to your website towards an HTTPS connection.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect -  No further changes to the webserver configuration.

2: Redirect -  To redirect all requests to secure HTTPS access. Choose this option fornew websites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.


Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Congratulations! You have successfully enabled and

You should test your configuration at:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2023-01-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

N.B. If there is already a CMS or script on your site, following our guide is recommended to check if it is compatible with an HTTPS connection before redirecting traffic.

Enter the number corresponding to your choice and, if the procedure is successful. a confirmation message will be shown on the screen.

Verifying the renewal of the Certificate

Let’s Encrypt’s SSL certificates are valid for 90 days after which they have to be renewed. Certbot takes also care of the automatic renewal of the certificates but to ensure that the procedure functioning correctly,following our guide is recommended to manually try to renew the certificate in this way:

$ sudo certbot renew --dry-run

If no error is displayed, then the renewal was successful. Otherwise, an email will be sent to the address entered during the certificate creation, when its expiration is approaching.

Be the first to comment

Leave a Reply

Your email address will not be published.