How To Secure Apache with Lets Encrypt on Ubuntu 18.04 VPS or dedicated server

How To Secure Apache with Lets Encrypt on Ubuntu 18.04 VPS or dedicated server


Let’s Encrypt is a free, reliable, and automated Certificate Authority (CA) designed by the non-profit Internet Security Research Group (ISRG). The CA utilizes fully automated processes to deliver free SSL/TLS certificates, quashing the need for the creation, installation, verification, and renewal of SSL certificate manually..

Let’s Encrypt is trusted by leading programs simply because it is secure, transparent, cooperative, and automatic. The CA provides the digital certificates required to enable HTTPS for websites and create a privacy-respecting and secure web.

This tutorial will help you secure the Apache service using Let’s Encrypt via the reliable certbot tool on your Ubuntu 18.04 VPS hosting or dedicated server hosting.

Ready? Let’s get started!

Before You Start

For this process to run smoothly, you require the following:

  • A domain
  • Apache installed on your server
  • Fully configured Apache virtual hosts for the domain name. You can use our guide “ How to set up Apache Virtual Hosts on Ubuntu 18.04” to configure the virtual hosts.

If everything is in place we can now embark on the installation.

Step1 –
Installing Certbot

The first thing when securing Apache with Let’s Encrypt is installing the certbot tool. This tool automates and streamlines the process of getting and renewing the SSL certificates from Let’s Encrypt. Besides, it will help you configure your web server to use these certificates.

First, update the local package index:

$ sudo apt update


Then, execute the command below to install Certbot:

$ sudo apt install certbot

That’s it! You have installed the certbot tool successfully.

Step 2 –
Generating Strong DH Group

The DH or the Diffie Hellman group is a reliable key exchange group that creates a secure environment to facilitate the exchange of cryptographic keys via a communication channel that is unsecured.

Run the command below to create a suite of 2048-bit DH characters:

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Note: If you wish you can replace the size 2048 with 4096. By doing so, you should be patient because the generation of the DH parameters can take thirty minutes or more minutes depending on your system entropy.

Step 3 –
Getting An SSL Certificate

Once the Dh group is generated, you can now obtain the SSL certificate required for your unique domain. In this tutorial, we’ll use as our domain name; remember to replace this value with your true domain name.

In this step, we’ll utilize a Webroot plugin to create a file for in the directory ${webroot-path}/.well-known/acme-challenge. The validation server for Let’s Encrypt will make HTTP appeals to authenticate that the domain’s DNS resolves to a server running the certbot tool.

We’ll simply map HTTP entreaties for the .well-known/acme-challenge to /var/lib/letsencrypt. Now, run the commands below to create the required directory and enable it to be writable for your Apache server.

$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt

Next, create two unique configuration snippets to prevent code duplication. First, run the command below to open the first configuration file:

$ sudo nano /etc/apache2/conf-available/letsencrypt.conf

Add the content below into this file:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

Save and exit this file.

Next, execute the command below to open the second configuration file:

$ sudo /etc/apache2/conf-available/ssl-params.conf

Copy and paste the content below into this file:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always setStrict-Transport-Security"max-age=63072000; includeSubDomains; preload"
Header alwaysset X-Frame-Options DENY
Header alwaysset X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Save and exit the file.

Note: The second configuration snippet utilizes chippers authorized by HSTS ( HTTP Strict Transport Security) and The snippet enforces security-centric HTTP headers and activates the OCSP Stapling.

Now, run the commands below to  enable Apache SSL module and the mod_headers:

$ sudo a2enmod ssl
$ sudo a2enmod headers

Next, execute the commands below to enable the SSL virtual Host and the ssl-params.conf file:

$ sudo a2enconf letsencrypt
$ sudo a2enconf ssl-params

Restart your Apache configuration to implement the changes:

$ sudo systemctl reload apache2

The stage is set, and you can now implement the certbot using a Webroot plugin to get your SSL certificate:

$ sudo certbot certonly --agree-tos --email --webroot -w /var/lib/letsencrypt/ -d -d

Once the certificate is obtained, you will get the message below:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-10-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Step 4 –
Modify The Virtual Host File Configuration

Execute the command below to open the configuration file for your unique domain:

$ sudo nano /etc/apache2/sites-available/

Add the content below to this file:

<VirtualHost *:80> 

  Redirect permanent /

<VirtualHost *:443>

  <If "%{HTTP_HOST} == ''">
    Redirect permanent /

  DocumentRoot /var/www/
  CustomLog${APACHE_LOG_DIR}/ combined

  SSLCertificateFile /etc/letsencrypt/live/
  SSLCertificateKeyFile /etc/letsencrypt/live/
  SSLCertificateChainFile /etc/letsencrypt/live/

  # Other Apache Configuration


Next, reload your Apache service:

$ sudo systemctl reload apache2

Open your websites and check if you will see the green lock icon

Step 5 –
Setting Up Auto-Renewal

The newly installed SSL certificate is valid for only 90 days. You can set up the Certbot package to renew your SSL certificate automatically before its expiration date. The package generates a cronjob that runs two times every day, renewing the certificate a month before it expires.

Every time the SSL certificate is automatically renewed Apache Service must be reloaded. To enable this, modify the /etc/cron.d/certbot file with the –renew-hook “systemctl reload apache2”, hook.

This file will look like:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"


Next, run the command below to confirm the automatic renewal:

 $ sudo certbot renew --dry-run

If you get no errors, then the automatic SSL certificate  renewal process has been set correctly.


That’s it! You have successfully used the certbot tool and Let’s Encrypt to obtain an SSL certificate for your specific domain name.

Check out these top 3 Linux hosting services

£1.41 /mo
Starting price
Visit FastComet
Rating based on expert review
  • User Friendly
  • Support
  • Features
  • Reliability
  • Pricing
£3.16 /mo
Starting price
Visit Kamatera
Rating based on expert review
  • User Friendly
  • Support
  • Features
  • Reliability
  • Pricing
£1.97 /mo
Starting price
Visit HostArmada
Rating based on expert review
  • User Friendly
  • Support
  • Features
  • Reliability
  • Pricing
  • Check the recommendations for the best VPS and get a suitable one.

How to Change Common PHP Settings on an Ubuntu 18.04 VPS or Dedicated Server

This article shows you how to change PHP settings on your Linux Ubuntu 18.04 vir
3 min read
Idan Cohen
Idan Cohen
Marketing Expert

How to Disable Directory Browsing On Apache Running on an Ubuntu 18.04 Virtual Server or Dedicated Server

In this article, you'll learn how to disable the default apache behavior for dis
3 min read
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO

How to Install OpenCart on an Ubuntu 18.04 Server or VPS with Apache, MariaDB and PHP 7

In this how-to, you'll learn how to install OpenCart, an open source shopping ca
3 min read
Angela Olaru
Angela Olaru
Senior Writer & Hosting Expert

How to Host Multiple Websites on an Ubuntu 18.04 VPS or Dedicated Server

This article will show you how to host two or more websites on a single Virtual
5 min read
Idan Cohen
Idan Cohen
Marketing Expert provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top