How To Secure Apache with Let's Encrypt on Ubuntu 17.10

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra layer of security for users accessing your applications. Let’s Encrypt provides an easy way to obtain and install trusted certificates free of cost.

This guide will walk you through the steps, how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 17.10 running Apache as a web server. The steps outlined in this tutorial also applies on earlier release of Ubuntu.


  • One Ubuntu 17.10 server with a non-root sudo user
  • Apache web server installed with one or more domain names properly configured

If you are done with above prerequisites, you are ready to begin by log into your server using sudo-enabled user account.

Install the Let’s Encrypt Client

The first step to using Let's Encrypt to obtain an SSL certificate is to install the certbot software on your server. The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it's worth using this repository to install a newer Certbot than provided by Ubuntu.

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot

You'll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository's package information:

sudo apt-get update

And finally, install Certbot from the new repository with apt-get:

sudo apt-get install python-certbot-apache

The certbot Let's Encrypt client is now ready to use.

Set Up the SSL Certificate

Generating the SSL Certificate for Apache using the certbot Let’s Encrypt client is pretty straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:

sudo certbot --apache -d

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:

sudo certbot --apache -d -d

For this example, the base domain will be

You will be prompted to provide an email address for lost key recovery and notices, and you will be need to agree to the Let's Encrypt terms of service. You'll then be asked to choose between enabling both http and https access or force all requests to redirect to https.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace with your base domain):

You should now be able to access your website using a https prefix.

Verify Certbot Auto-Renewal

Let’s Encrypt certificates only last for 90 days. However, the certbot package we installed takes care of this for us by running certbot renew twice a day via a systemd timer. On non-systemd distributions this functionality is provided by a cron script placed in /etc/cron.d. The task runs twice daily and will renew any certificate that's within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run

If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.


In this tutorial, we demonstrated how to install a free SSL certificate from Let’s Encrypt in order to secure a website hosted with Apache Web Server.