To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.
This document contains helpful advice if you are a hosting provider or large website integrating Let’s Encrypt, or you are writing client software for Let’s Encrypt.
1. Create CAA Record for Your Domain Name pointing to your domain name
0 issue "letsencrypt.org"
You can also use iodef to make CAA report malicious certificate issue request to your email address. ( pointing to your domain name)
0 iodef "mailto:your-email-address"
You can use the following dig command to check your CAA record.
dig example.com CAA
2. Installing Let’s Encrypt Client (Certbot) on Ubuntu
sudo apt update
sudo apt install certbot python3-certbot-apache
To check version number, run
certbot --version
3. Apache Plugin to Enable HTTPS
sudo certbot --apache --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple -d www.example.com,example.com --email [email protected]
Certbot client creates /etc/apache2/sites-enabled/000-default-le-ssl.conf
4. Testing Your SSL Certificate
Go to https://www.ssllabs.com to test your SSL certificate and configuration.
5. Redirecting WWW to Non-WWW (Or Vice-Versa)
Edit your virtual host file. (Not the SSL virtual host)
sudo nano /etc/apache2/sites-enabled/000-default.conf
To redirect to www or non-www domain, you need to change the last line. Replace %{SERVER_NAME} with your preferred domain version like below. (www domain)
RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=permanent]
If you prefer non-www domain, change it to the following.
RewriteRule ^ https://example.com%{REQUEST_URI} [END,NE,R=permanent]
Then save and close the file.
6. We will also need to edit the SSL virtual host.
sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
Add the following lines above the closing </VirtualHost> tag to redirect non-www to www domain.
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=permanent]
If you want to redirect www to non-www domain, add the following lines instead.
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://example.com%{REQUEST_URI} [END,NE,R=permanent]
Save and close the file.
Reload Apache service
sudo systemctl reload apache2
7. Disable TLSv1 and TLSv1.1
TLSv1 and TLSv1.1 are no longer considered secure. To disable them, edit the Let’s Encrypt SSL options configuration file.
sudo nano /etc/letsencrypt/options-ssl-apache.conf
Find the following line, which disables SSLv2 and SSLv3 by default.
SSLProtocol all -SSLv2 -SSLv3
Change it to the following to also disable TLSv1.0 and TLSv1.1.
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Save and close the file.
Restart Apache.
sudo systemctl restart apache2
8. Certificate Auto Renewal
To automatically renew Let’s Encrypt certificate, simply edit root user’s crontab file.
sudo crontab -e
Then add the following line at the bottom.
@daily certbot renew --quiet && systemctl reload apache2
--quiet flag will suppress normal messages.
If you want to receive error messages, then add the following line at the beginning of crontab file.
MAILTO=your-email-address
Restart Apache.
sudo systemctl restart apache2
