Secure Apache with Let’s Encrypt in Debian/Ubuntu

Apache installation

Run below commands in Debian or Ubuntu to install Apache:

sudo apt-get update
sudo apt-get install apache2
sudo systemctl status apache2
sudo systemctl start apache2
sudo systemctl stop apache2
sudo systemctl restart apache2
sudo systemctl reload apache2
sudo systemctl disable apache2
sudo systemctl enable apache2

Create configuration fragment for SSL/TLS

sudo vi /etc/apache2/conf-available/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
# Requires Apache >= 2.4.11
SSLSessionTickets Off

Edit default SSL/TLS virtual host configuration

sudo vi /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
# Configure server name,
# Let’s Encrypt will use this value to associate
# certificates with this virtual host.
ServerName www.example-1.com # <- Update this line
...
# Add below configuration just at the end of the
# existing one. If some of the below parameters
# already exists, just edit it.
SSLEngine on
SSLProxyEngine on
ProxyPreserveHost on
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
ProxyRequests on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
</IfModule>

Reveres proxy configuration

Note that we added ProxyPass and ProxyPassReverse key words to our configuration. It means that we are using Apache as a revers proxy.

        ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

Install Apache modules to encrypt requests

sudo apache2ctl -M
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl
sudo a2enconf ssl-params
sudo apache2ctl configtest
sudo systemctl reload apache2
sudo systemctl restart apache2
sudo systemctl status apache2
sudo netstat -tlpn
tcp   0  0 0.0.0.0:22        0.0.0.0:*  LISTEN  505/sshd
tcp6 0 0 :::22 :::* LISTEN 505/sshd
tcp6 0 0 :::443 :::* LISTEN 513/apache2
tcp6 0 0 :::80 :::* LISTEN 513/apache2
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 13880/java

Install certbot and Let’s Encrypt

sudo apt-get install certbot python-certbot-apache
certbot --apache -d www.example-1.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@yourdomain.com

------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------
(Y)es/(N)o: Y

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.example-1.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/default-ssl.conf
Deploying Certificate for www.example-1.com to VirtualHost /etc/apache2/sites-available/default-ssl.conf
Enabling available site: /etc/apache2/sites-available/default-ssl.conf
ls /etc/apache2/sites-available/
000-default.conf
default-ssl.conf
le-redirect-www.example-1.com.conf

Setup automatic renewal

Let’s Encrypt certificates are valid for a limited period of time. So to avoid any issue in your certificates, it is advisable to run a periodic cron job to check certificate status and renew those certificates that are close to expire.

crontab -e
0 0 1 * * /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log
service cron restart

Revoke existing Let’s Encrypt certificate

Run below command to revoke a particular certificate (note that you have to replace the domain name).

sudo certbot revoke — cert-path /etc/letsencrypt/archive/<domain_name>/cert1.pem
sudo certbot delete

I solve problems to empower operations, maximize performance and increase profits.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store