Securing an Apache Web Server with Let’s Encrypt SSL via Certbot and SSH
Securing your website with HTTPS has become a necessity, not just for the sake of protecting your data but also to improve your site’s SEO ranking and trustworthiness. In this guide, we will demonstrate how to secure an Apache web server using Certbot to install a Let’s Encrypt SSL certificate, all managed remotely via SSH.
What is Let’s Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates to enable HTTPS on websites. By using Let’s Encrypt, you can secure your Apache server without paying for SSL certificates. The tool Certbot automates the process of obtaining and renewing these certificates.
Prerequisites
- A Linux-based server (such as Ubuntu 22.04 LTS).
- Apache installed and running.
- A domain name that is pointed to the server’s IP address.
- SSH access to the server.
- Root or sudo privileges on the server.
Step 1: Install OpenSSH and Certbot
First, ensure that your server is accessible via SSH, and install Certbot along with the Apache plugin for automatic configuration.
1.1 Install OpenSSH
OpenSSH allows you to remotely manage the server. Most Linux distributions come with SSH pre-installed. If it’s not installed, run the following command:
sudo apt update
sudo apt install openssh-server
To enable and start the SSH service:
sudo systemctl enable ssh
sudo systemctl start ssh
Now you can access the server via SSH using the following command:
ssh username@your-server-ip
1.2 Install Certbot and the Apache Plugin
Next, you need to install Certbot, which automates obtaining and renewing Let’s Encrypt SSL certificates, and its Apache plugin, which simplifies configuration.
sudo apt update
sudo apt install certbot python3-certbot-apache
Step 2: Obtain a Let’s Encrypt SSL Certificate
Once Certbot is installed, it’s time to obtain an SSL certificate for your domain. Certbot will handle the entire process, including modifying your Apache configuration to use the SSL certificate.
Run Certbot with the Apache plugin:
sudo certbot --apache
You’ll be prompted with a series of questions:
- Enter your email address (for notifications about certificate expiration).
- Agree to the terms of service.
- Choose the domain(s) you wish to secure from the list of domains configured in Apache.
- Certbot will automatically request an SSL certificate from Let’s Encrypt and update your Apache configuration to use HTTPS.
After completion, Certbot will install and configure the certificate automatically.
Step 3: Configure Firewall for HTTPS
If your server uses UFW (Uncomplicated Firewall), you need to allow HTTPS traffic.
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'
This ensures that both HTTP and HTTPS traffic are allowed, but prioritizes HTTPS.
Step 4: Verify SSL Setup
To check if the SSL certificate was successfully installed, you can visit your site using HTTPS, or you can use the following command to verify that Apache is running with SSL:
sudo systemctl status apache2
You should also test the validity of the SSL certificate:
sudo apachectl configtest
Or use a tool like SSL Labs to test your HTTPS configuration.
Step 5: Automate SSL Certificate Renewal
Let’s Encrypt certificates are valid for 90 days. Certbot automatically configures a cron job to handle renewals, but it’s a good idea to manually test the renewal process:
sudo certbot renew --dry-run
This command performs a simulation of the renewal process, ensuring everything is set up correctly.
Step 6: Secure SSH Access
To enhance the security of SSH access to your server, it’s recommended to use key-based authentication instead of password-based authentication.
6.1 Generate SSH Key Pair
On your local machine, generate a key pair using the following command:
ssh-keygen -t rsa -b 4096
This creates a private and public key pair. By default, the keys are stored in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).
6.2 Copy the Public Key to Your Server
Copy the public key to your server to enable key-based login:
ssh-copy-id username@your-server-ip
Now, you can log in to your server using the private key instead of a password:
ssh username@your-server-ip
Step 7: Restart Apache to Apply Changes
After installing the SSL certificate, you should restart Apache to ensure that the changes are properly applied:
sudo systemctl restart apache2
Summary of Commands
Here is a quick summary of the commands used in this article:
| Command | Description |
|---|---|
sudo apt update | Update package lists |
sudo apt install openssh-server | Install OpenSSH server |
sudo apt install certbot python3-certbot-apache | Install Certbot and Apache plugin |
ssh username@your-server-ip | SSH into your server |
sudo certbot --apache | Obtain and install Let’s Encrypt SSL certificate |
sudo ufw allow 'Apache Full' | Allow HTTPS traffic |
sudo certbot renew --dry-run | Test SSL certificate renewal |
sudo systemctl restart apache2 | Restart Apache to apply changes |
ssh-keygen -t rsa -b 4096 | Generate SSH key pair |
ssh-copy-id username@your-server-ip | Copy SSH key to server |
Conclusion
In this tutorial, we’ve covered how to secure your Apache web server with an SSL certificate from Let’s Encrypt, managed through SSH. This setup provides both security and ease of management by enabling encrypted communication for both your website and your server management processes.
By automating the renewal process with Certbot, you can ensure your certificates stay up-to-date without manual intervention. Proper SSH configuration also ensures a secure connection to your server for remote administration.
edvaldo b. guimarães filho 
Leave a comment