How VPS - How to use/setup VPS
  • Home
  • Management guides
    • Web servers software
      • Directadmin
      • Hocvps Script
      • Centmin Mod
      • CWP
      • Kloxo-MR
      • Plesk
    • Control Panels
    • Securing VPS/Servers
      • SSL Certificates
      • Upgrading
      • Authentication
  • Operating System
    • CentOS
    • Fedora
    • Debian
    • Linux
    • Arch
    • BSD
    • CoreOS
  • Reviews
  • Coupon
    • Domain Coupon
    • Hosting Coupon
No Result
View All Result
  • Home
  • Management guides
    • Web servers software
      • Directadmin
      • Hocvps Script
      • Centmin Mod
      • CWP
      • Kloxo-MR
      • Plesk
    • Control Panels
    • Securing VPS/Servers
      • SSL Certificates
      • Upgrading
      • Authentication
  • Operating System
    • CentOS
    • Fedora
    • Debian
    • Linux
    • Arch
    • BSD
    • CoreOS
  • Reviews
  • Coupon
    • Domain Coupon
    • Hosting Coupon
No Result
View All Result
How VPS - How to use/setup VPS
No Result
View All Result
Home Control Panels

How To Secure Apache with Lets Encrypt on Ubuntu 18.04 VPS or dedicated server

How VPS by How VPS
November 2, 2018
in Control Panels
0
0
SHARES
13
VIEWS
Share on FacebookShare on Twitter

Contents

  1. Introduction
  2. Before You Start
  3. Step1 – Installing Certbot
  4. Step 2 – Generating Strong DH Group
  5. Step 3 – Getting An SSL Certificate
    1. Step 4 – Modify The Virtual Host File Configuration
    2. Step 5 – Setting Up Auto-Renewal
  6. Conclusion
  7. Check out these top 3 Linux hosting services
    1. Was this article helpful?

Introduction

Let’s Encrypt is a free, reliable, and automated Certificate Authority (CA) designed by the non-profit Internet Security Research Group (ISRG). The CA utilizes fully automated processes to deliver free SSL/TLS certificates, quashing the need for the creation, installation, verification, and renewal of SSL certificate manually..

Let’s Encrypt is trusted by leading programs simply because it is secure, transparent, cooperative, and automatic. The CA provides the digital certificates required to enable HTTPS for websites and create a privacy-respecting and secure web.

This tutorial will help you secure the Apache service using Let’s Encrypt via the reliable certbot tool on your Ubuntu 18.04 VPS hosting or dedicated server hosting.

Ready? Let’s get started!

Before You Start

For this process to run smoothly, you require the following:

  • A domain
  • Apache installed on your server
  • Fully configured Apache virtual hosts for the domain name. You can use our guide “ How to set up Apache Virtual Hosts on Ubuntu 18.04” to configure the virtual hosts.

If everything is in place we can now embark on the installation.

Step1 – Installing Certbot

The first thing when securing Apache with Let’s Encrypt is installing the certbot tool. This tool automates and streamlines the process of getting and renewing the SSL certificates from Let’s Encrypt. Besides, it will help you configure your web server to use these certificates.

First, update the local package index:

$ sudo apt update

Then, execute the command below to install Certbot:

$ sudo apt install certbot

That’s it! You have installed the certbot tool successfully.

Step 2 – Generating Strong DH Group

The DH or the Diffie Hellman group is a reliable key exchange group that creates a secure environment to facilitate the exchange of cryptographic keys via a communication channel that is unsecured.

Run the command below to create a suite of 2048-bit DH characters:

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Note: If you wish you can replace the size 2048 with 4096. By doing so, you should be patient because the generation of the DH parameters can take thirty minutes or more minutes depending on your system entropy.

Step 3 – Getting An SSL Certificate

Once the Dh group is generated, you can now obtain the SSL certificate required for your unique domain. In this tutorial, we’ll use example.com as our domain name; remember to replace this value with your true domain name.

In this step, we’ll utilize a Webroot plugin to create a file for example.com in the directory ${webroot-path}/.well-known/acme-challenge. The validation server for Let’s Encrypt will make HTTP appeals to authenticate that the domain’s DNS resolves to a server running the certbot tool.

We’ll simply map HTTP entreaties for the .well-known/acme-challenge to /var/lib/letsencrypt. Now, run the commands below to create the required directory and enable it to be writable for your Apache server.

$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt

Next, create two unique configuration snippets to prevent code duplication. First, run the command below to open the first configuration file:

$ sudo nano /etc/apache2/conf-available/letsencrypt.conf

Add the content below into this file:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Save and exit this file.

Next, execute the command below to open the second configuration file:

$ sudo /etc/apache2/conf-available/ssl-params.conf

Copy and paste the content below into this file:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always setStrict-Transport-Security"max-age=63072000; includeSubDomains; preload"
Header alwaysset X-Frame-Options DENY
Header alwaysset X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Save and exit the file.

Note: The second configuration snippet utilizes chippers authorized by HSTS ( HTTP Strict Transport Security) and Cipherli.st. The snippet enforces security-centric HTTP headers and activates the OCSP Stapling.

Now, run the commands below to  enable Apache SSL module and the mod_headers:

$ sudo a2enmod ssl
$ sudo a2enmod headers

Next, execute the commands below to enable the SSL virtual Host and the ssl-params.conf file:

$ sudo a2enconf letsencrypt
$ sudo a2enconf ssl-params

Restart your Apache configuration to implement the changes:

$ sudo systemctl reload apache2

The stage is set, and you can now implement the certbot using a Webroot plugin to get your SSL certificate:

$ sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

Once the certificate is obtained, you will get the message below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-10-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 4 – Modify The Virtual Host File Configuration

Execute the command below to open the configuration file for your unique domain:

$ sudo nano /etc/apache2/sites-available/example.com.conf

Add the content below to this file;

<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog${APACHE_LOG_DIR}/example.com-error.log
  CustomLog${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngineOn
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

  # Other Apache Configuration

</VirtualHost>

Next, reload your Apache service:

$ sudo systemctl reload apache2

Open your websites and check if you will see the green lock icon

Step 5 – Setting Up Auto-Renewal

The newly installed SSL certificate is valid for only 90 days. You can set up the Certbot package to renew your SSL certificate automatically before its expiration date. The package generates a cronjob that runs two times every day, renewing the certificate a month before it expires.

Every time the SSL certificate is automatically renewed Apache Service must be reloaded. To enable this, modify the /etc/cron.d/certbot file with the –renew-hook “systemctl reload apache2”, hook.

This file will look like:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

Next, run the command below to confirm the automatic renewal:

 $ sudo certbot renew --dry-run

If you get no errors, then the automatic SSL certificate  renewal process has been set correctly.

Conclusion

That’s it! You have successfully used the certbot tool and Let’s Encrypt to obtain an SSL certificate for your specific domain name.

Check out these top 3 Linux hosting services

0

Was this article helpful?

Submit
How VPS

How VPS

Related Posts

How to install Zabbix on CentOS 7
Control Panels

How to install Zabbix on CentOS 7

January 30, 2020
How To Change The Apache Web Root To Another Directory on an Ubuntu 18.04 VPS or Dedicated Server
Control Panels

How To Change The Apache Web Root To Another Directory on an Ubuntu 18.04 VPS or Dedicated Server

January 30, 2020
How To Enable mod_evasive To Log & Report DOS Attack And BruteForce Attack On Apache
Control Panels

How To Enable mod_evasive To Log & Report DOS Attack And BruteForce Attack On Apache

January 30, 2020
Next Post

How to Use Conspy to View and Control Remote Linux Virtual Consoles in Real Time

How to Check Bad Sectors or Bad Blocks on Hard Disk in Linux

Upgrading to Debian 8 (Jessie)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 121 Followers
  • 87.2k Followers

Recommended

How to Install Chamilo 1.11.8 on CentOS 7

3 years ago

How to Compile Nginx From Source on Fedora 25

3 years ago

How To Install GCC on CentOS 6

3 years ago

How to Install October 1.0 CMS on a Fedora 26 LAMP VPS

3 years ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • Arch
  • Authentication
  • Backups
  • BSD
  • Centmin Mod
  • CentOS
  • Control Panels
  • CoreOS
  • CWP
  • Debian
  • Directadmin
  • Encryption
  • Fedora
  • Firewalls
  • Hocvps Script
  • Hosting providers
  • Kloxo-MR
  • Linux
  • Mitigations
  • Operating System
  • Plesk
  • Reviews
  • Securing VPS/Servers
  • Security Patches
  • SSL Certificates
  • Uncategorized
  • Upgrading
  • VPS/Servers management guides
  • Vulnerability Detection
  • Web servers software
  • Webhosting Control Panel

Topics

Apache Web Server Bluehost Review 2019 Bluehost Review 2020 Bluehost Review 2021 Centmin Mod CentminMod centos install htop fsck htop install HTTP DoS attack Install Snort on an Ubuntu install Zabbix on CentOS install Zabbix on CentOS 7 Linux Commands linux guide linux install htop linux vps setup guide MariaDB MariaDB Error Mysql mysqld error optimize MariaDB optimize Mysql snort Ubuntu
No Result
View All Result

Highlights

Top Free Web Hosting Control Panels To Manage VPS/Dedicated Servers

Webmin Reviews

Virtualmin Reviews

CentOS Web Panel Reviews

Ajenti Reviews

ISPConfig Reviews

Trending

Failed to download metadata for repo 'appstream' on Centos 8
CentOS

How to fix error: Failed to download metadata for repo ‘appstream’ on Centos 8

by How VPS
February 25, 2022
0

I tried to update some extensions by use yum on centOs which I specified in Dockerfile. After...

How to Fix MySQL Error "Plugin 'InnoDB' registration as a STORAGE ENGINE failed"?

How to Fix MySQL Error “Plugin ‘InnoDB’ registration as a STORAGE ENGINE failed”?

November 17, 2020
How to optimize Mysql or MariaDB

How to optimize Mysql or MariaDB

November 3, 2020
Top Free Web Hosting Control Panels To Manage VPS/Dedicated Servers

Top Free Web Hosting Control Panels To Manage VPS/Dedicated Servers

February 17, 2020
Webmin Reviews

Webmin Reviews

February 17, 2020
How VPS – How to use/setup VPS

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to fix error: Failed to download metadata for repo ‘appstream’ on Centos 8 February 25, 2022
  • How to Fix MySQL Error “Plugin ‘InnoDB’ registration as a STORAGE ENGINE failed”? November 17, 2020
  • How to optimize Mysql or MariaDB November 3, 2020

Categories

  • Arch
  • Authentication
  • Backups
  • BSD
  • Centmin Mod
  • CentOS
  • Control Panels
  • CoreOS
  • CWP
  • Debian
  • Directadmin
  • Encryption
  • Fedora
  • Firewalls
  • Hocvps Script
  • Hosting providers
  • Kloxo-MR
  • Linux
  • Mitigations
  • Operating System
  • Plesk
  • Reviews
  • Securing VPS/Servers
  • Security Patches
  • SSL Certificates
  • Uncategorized
  • Upgrading
  • VPS/Servers management guides
  • Vulnerability Detection
  • Web servers software
  • Webhosting Control Panel

[mc4wp_form]

© 2018 JNews - City News Magazine WordPress theme. All rights belong to their respective owners.
JNews is a top selling 2018 WordPress News, Blog, Newspaper & Magazine Theme.

No Result
View All Result
  • Home

© 2023 JNews - Premium WordPress news & magazine theme by Jegtheme.