SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial will show you how to set up TLS/SSL certificates from
Let’s Encrypt for securing multiple virtual hosts on Apache, within an Ubuntu 14.04 server.
We will also cover how to automate the certificate renewal process using a cron job.
Prerequisites
In order to complete this guide, you will need:
- An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
- A functional Apache web server installation hosting multiple virtual hosts
It is important that each virtual host is set up in its own separate configuration file, and can be accessed externally via browser. For a detailed guide on how to properly set up Apache virtual hosts on Ubuntu, follow this link.
For the purpose of this guide, we will install Let’s Encrypt certificates for the domains
example.com
and
test.com
. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.
When you are ready to move on, log into your server using your sudo account.
Step 1 — Install the Server Dependencies
The first thing we need to do is to update the package manager cache with:
We will need
git
in order to download the Let’s Encrypt client. To install
git
, run:
Step 2 — Download the Let’s Encrypt Client
Next, we will download the Let’s Encrypt client from its official repository, placing its files in a special location on the server. We will do this to facilitate the process of updating the repository files when a new release is available. Because the Let’s Encrypt client is still in beta, frequent updates might be necessary to correct bugs and implement new functionality.
We will clone the Let’s Encrypt repository under
/opt
, which is a standard directory for placing third-party software on Unix systems:
- sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
This will create a local copy of the official Let’s Encrypt repository under
/opt/letsencrypt
.
Step 3 — Set Up the Certificates
Generating an SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Although it is possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different, it is recommended that you create separate certificates for unique domain names. As a general rule of thumb, only subdomains of a particular domain should be bundled together.
Generating the first SSL certificate
We will start by setting up the SSL certificate for the first virtual host,
example.com
.
Access the
letsencrypt
directory:
Next, we will execute the interactive installation and obtain a bundled certificate that is valid for a domain and a subdomain, namely
example.com
as base domain and
www.example.com
as subdomain. You can include any additional subdomains that are currently configured in your Apache setup as either virtual hosts or aliases.
Run the
letsencrypt-auto
command with:
- ./letsencrypt-auto --apache -d example.com -d www.example.com
Notice that the first domain name in the list of parameters will be the
base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases.
For this example, the
base domain will be
example.com
. We will need this information for the next step, where we automate the certificate renewal process.
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both
http
and
https
access or forcing all requests to redirect to
https
.
When the installation is finished, you should be able to find the generated certificate files at
/etc/letsencrypt/live
. You can verify the status of your SSL certificate with the following link (don’t forget to replace
example.com with your
base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
You should now be able to access your website using a
https
prefix.
Generating the second SSL certificate
Generating certificates for your additional virtual hosts should follow the same process described in the previous step.
Repeat the certificate install command, now with the second virtual host you want to secure with Let’s Encrypt:
- ./letsencrypt-auto --apache -d test.com -d www.test.com
For this example, the
base domain will be
test.com
.
Again, you can verify the status of your SSL certificate with the following link (don’t forget to replace
test.com with your
base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=test.com&latest
If you want to generate certificates for additional virtual hosts, simply repeat the process, and don’t forget to use the bare top-level domain as your
base domain. We will use this information for the next step, where we set up auto renewal using a cron job.
Step 3 — Set Up Auto-Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let’s Encrypt client again with the same parameters previously used.
To manually renew the certificate we previously generated for the domain
example.com
, for instance, we should run:
./letsencrypt-auto certonly --apache --renew-by-default -d example.com -d www.example.com
Notice that we need to provide the same list of domains again for the renewal command, otherwise the Let’s Encrypt client will generate a new certificate instead of renewing the existing one.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal requests for you.
To facilitate this process, we will use a shell script that will verify the certificate expiration date for the provided domain and request a renewal when the expiration is less than 30 days away. The script will be scheduled to run once a week. This way, even if a cron job fails, there’s a 30-day window to try again every week.
For each virtual host certificate you set up, you need to create a cron job to execute the renewal script. In our case, we will set up two different cron jobs in order to renew the certificates for both
example.com
and
test.com
.
First, download the script and make it executable. Feel free to review the contents of the script before downloading it.
- sudo curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew
- sudo chmod +x /usr/local/sbin/le-renew
The
le-renew
script takes as an argument the
base domain name associated with the certificate you want to renew. You can check which domain was used by Let’s Encrypt as your base domain name by looking at the contents inside
/etc/letsencrypt/live
, which is the directory that holds the certificates generated by the client.
You can run the script manually with:
- sudo le-renew example.com
Since we just created the certificate and there is no need for renewal just yet, the script will simply output how many days are left until the certificate expiration:
Output
Checking expiration date for example.com...
The certificate is up to date, no need for renewal (89 days left).
Setting Up Auto Renewal for the First Virtual Host Certificate
We will start by setting up auto renewal for the domain
example.com
.
Edit the crontab to create a new job that will run this command every week. To edit the crontab for the
root user, run:
Include the following content, all in one line:
crontab
30 2 * * 1 /usr/local/sbin/le-renew example.com>> /var/log/le-renew.log
Save and exit. This will create a new cron job that will execute the
le-renew
command every Monday at 2:30 am, for the domain
example.com
. The output produced by the command will be piped to a log file located at
/var/log/le-renewal.log
.
Setting Up Auto Renewal for the Second Virtual Host Certificate
Setting up auto renewal for additional virtual host certificates should follow the same process described in the previous step. We will set up an additional cron job for auto renewing the domain
test.com
.
Edit the crontab for the
root user with:
Include the following content, all in one line:
crontab
30 2 * * 1 /usr/local/sbin/le-renew test.com>> /var/log/le-renew.log
In this guide, we used the same renewal log file (/var/log/le-renew.log
) for both domains. If you'd rather separate the output for ease of parsing, feel free to change the log location used in each of the cron definitions.
Save and exit. Your additional virtual host certificate should now be covered for auto renewal.
Step 5 — Updating the Let’s Encrypt Client (optional)
Whenever new updates are available for the client, you can update your local copy by running a
git pull
from inside the Let’s Encrypt directory:
- cd /opt/letsencrypt
- sudo git pull
This will download all recent changes to the repository, updating your client.
Conclusion
In this guide, we saw how to install free SSL certificates from Let’s Encrypt in order to secure multiple virtual hosts on Apache. Because the Let’s Encrypt client is still in beta, we recommend that you check the official
Let’s Encrypt blog for important updates from time to time.