Welcome to the Hindi Tutor QA. Create an account or login for asking a question and writing an answer.
Priti Agarwal in Domain
edited
How to Properly Enable HTTPS on Apache with Let's Encrypt on Ubuntu, Free SSL Certificate on Ubuntu, HTTPS on Apache, AWS, Digital Ocean.

1 Answer

0 votes
Pooja
edited

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.

This document contains helpful advice if you are a hosting provider or large website integrating Let’s Encrypt, or you are writing client software for Let’s Encrypt.

1. Create CAA Record for Your Domain Name pointing to your domain name

0 issue "letsencrypt.org"

You can also use iodef to make CAA report malicious certificate issue request to your email address. ( pointing to your domain name)

0 iodef "mailto:your-email-address"

You can use the following dig command to check your CAA record.

dig example.com CAA

2. Installing Let’s Encrypt Client (Certbot) on Ubuntu

sudo apt update
sudo apt install certbot python3-certbot-apache

To check version number, run

certbot --version

3. Apache Plugin to Enable HTTPS

sudo certbot --apache --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple -d www.example.com,example.com --email [email protected]

Certbot client creates /etc/apache2/sites-enabled/000-default-le-ssl.conf

4. Testing Your SSL Certificate

Go to https://www.ssllabs.com to test your SSL certificate and configuration.

5. Redirecting WWW to Non-WWW (Or Vice-Versa)

Edit your virtual host file. (Not the SSL virtual host)

sudo nano /etc/apache2/sites-enabled/000-default.conf

To redirect to www or non-www domain, you need to change the last line. Replace %{SERVER_NAME} with your preferred domain version like below. (www domain)

RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=permanent]

If you prefer non-www domain, change it to the following.

RewriteRule ^ https://example.com%{REQUEST_URI} [END,NE,R=permanent]

Then save and close the file.

6. We will also need to edit the SSL virtual host.

sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf

Add the following lines above the closing </VirtualHost> tag to redirect non-www to www domain.

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=permanent]

If you want to redirect www to non-www domain, add the following lines instead.

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://example.com%{REQUEST_URI} [END,NE,R=permanent]

Save and close the file.

Reload Apache service

sudo systemctl reload apache2

7. Disable TLSv1 and TLSv1.1

TLSv1 and TLSv1.1 are no longer considered secure. To disable them, edit the Let’s Encrypt SSL options configuration file.

sudo nano /etc/letsencrypt/options-ssl-apache.conf

Find the following line, which disables SSLv2 and SSLv3 by default.

SSLProtocol             all -SSLv2 -SSLv3

Change it to the following to also disable TLSv1.0 and TLSv1.1.

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Save and close the file. 

Restart Apache.

sudo systemctl restart apache2

8. Certificate Auto Renewal

To automatically renew Let’s Encrypt certificate, simply edit root user’s crontab file.

sudo crontab -e

Then add the following line at the bottom.

@daily certbot renew --quiet && systemctl reload apache2 

--quiet flag will suppress normal messages.

If you want to receive error messages, then add the following line at the beginning of crontab file.

MAILTO=your-email-address

Restart Apache.

sudo systemctl restart apache2
...