This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 14.04 server running Apache as a web server. We will also cover how to automate the certificate renewal process using a cron job.
SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
PrerequisitesIn order to complete this guide, you will need:
- An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
- The Apache web server installed with one or more domain names properly configured
Step 1 — Install the Server DependenciesThe first thing we need to do is to update the package manager cache with:
We will need
- sudo apt-get update
gitin order to download the Let’s Encrypt client. To install
- sudo apt-get install git
Step 2 — Download the Let’s Encrypt Client
Next, we will download the Let’s Encrypt client from its official repository, placing its files in a special location on the server. We will do this to facilitate the process of updating the repository files when a new release is available. Because the Let’s Encrypt client is still in beta, frequent updates might be necessary to correct bugs and implement new functionality.
We will clone the Let’s Encrypt repository under
/opt, which is a standard directory for placing third-party software on Unix systems:
This will create a local copy of the official Let’s Encrypt repository under
- sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Step 3 — Set Up the SSL CertificateGenerating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Access the letsencrypt directory:
To execute the interactive installation and obtain a certificate that covers only a single domain, run the
- cd /opt/letsencrypt
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:
- ./letsencrypt-auto --apache -d example.com
For this example, the base domain will be
- ./letsencrypt-auto --apache -d example.com -d www.example.com
example.com. We will need this information for the next step, where we automate the certificate renewal process.
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both
httpsaccess or force all requests to redirect to
When the installation is finished, you should be able to find the generated certificate files at
/etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):
You should now be able to access your website using a
Step 4 — Set Up Auto RenewalLet’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let’s Encrypt client again with the same parameters previously used.
To manually renew a Let’s Encrypt certificate for Apache with no interaction in the command line, you can run:
If you provided multiple domain names when first installing the certificate, you’ll need to pass the same list of domains again for the renewal command, otherwise the Let’s Encrypt client will generate a new certificate instead of renewing the existing one.
- ./letsencrypt-auto certonly --apache --renew-by-default -d example.com -d www.example.com
A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal requests for you.
To facilitate this process, we will use a shell script that will verify the certificate expiration date for the provided domain and request a renewal when the expiration is less than 30 days away. The script will be scheduled to run once a week. This way, even if a cron job fails, there’s a 30-day window to try again every week.
First, download the script and make it executable. Feel free to review the contents of the script before downloading it.
- sudo curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew
- sudo chmod +x /usr/local/sbin/le-renew
le-renewscript takes as an argument the base domain name associated with the certificate you want to renew. You can check which domain was used by Let’s Encrypt as your base domain name by looking at the contents inside
/etc/letsencrypt/live, which is the directory that holds the certificates generated by the client.
You can run the script manually with:
Since we just created the certificate and there is no need for renewal just yet, the script will simply output how many days are left until the certificate expiration:
- sudo le-renew example.com
OutputChecking expiration date for example.com... The certificate is up to date, no need for renewal (89 days left).
Next, we will edit the crontab to create a new job that will run this command every week. To edit the crontab for the root user, run:
Include the following content, all in one line:
- sudo crontab -e
Save and exit. This will create a new cron job that will execute the
crontab30 2 * * 1 /usr/local/sbin/le-renew example.com >> /var/log/le-renew.log
le-renewcommand every Monday at 2:30 am. The output produced by the command will be piped to a log file located at
Step 5 — Updating the Let’s Encrypt Client (optional)Whenever new updates are available for the client, you can update your local copy by running a
git pullfrom inside the Let’s Encrypt directory:
This will download all recent changes to the repository, updating your client.
- cd /opt/letsencrypt
- sudo git pull
In this guide, we saw how to install a free SSL certificate from Let’s Encrypt in order to secure a website hosted with Apache. Because the Let’s Encrypt client is still in beta, we recommend that you check the official Let’s Encrypt blog for important updates from time to time.