• Home
  • DevOps
  • How To
  • Cloud
  • Security
  • Monitoring
  • Web
  • OS
tutorials-space.com
Menu
  • Home
  • DevOps
  • How To
  • Cloud
  • Security
  • Monitoring
  • Web
  • OS
Home  /  Apache • Security • Web  /  Secure Apache with Let’s Encrypt on Ubuntu 18.04
Secure Apache with Let's Encrypt on Ubuntu 18.04
30 December 2018

Secure Apache with Let’s Encrypt on Ubuntu 18.04

Written by aghouchaf
Apache, Security, Web Leave a Comment

Table of Contents

  • 1. Introduction
  • 2. Prerequisites
  • 2. Install Certbot
  • 3. Generate Strong Dh (Diffie-Hellman) Group
  • 4. obtaining a Let’s Encrypt SSL certificate

1. Introduction

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

In this post, i’ll show you a step by step instructions how to secure your Apache with Let’s Encrypt using the certbot tool on Ubuntu 18.04.

2. Prerequisites

In order to complete this tutorial, you will need :

  1. you will need to have an Ubuntu 18.04 server.
  2. Update your system: sudo apt update && sudo apt upgrade

2. Install Certbot

Certbot is a fully featured and easy to use tool that can automate the tasks of obtaining and renewing Let’s Encrypt SSL certificates and configuring web servers to use them. The certbot package is included in the default Ubuntu repositories.

Update the packages list and install the certbot package:

sudo apt update && sudo apt install certbot

3. Generate Strong Dh (Diffie-Hellman) Group

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel. We’re going to generate a new set of 2048 bit DH parameters to strengthen the security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

4. obtaining a Let’s Encrypt SSL certificate

To obtain an SSL certificate for our domain we’re going to use the Webroot plugin that works by creating a temporary file for the requested domain in the ${webroot-path}/.well-known/acme-challenge directory and the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for the requested domain resolves to the server where certbot runs.

To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.

The following commands will create the directory and make it writable for the Apache server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

To avoid duplicating code create the following two configurations snippets:

sudo vi /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
sudo vi /etc/apache2/conf-available/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

The snippet above is using the chippers recommended by Cipherli.st, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces few security‑focused HTTP headers.

Before enabling the configuration files, make sure both mod_ssl and mod_headers are enabled by issuing:

sudo a2enmod ssl
sudo a2enmod headers

Next, enable the SSL configuration files by running the following commands:

sudo a2enconf letsencryptsudo a2enconf ssl-params

Enable the HTTP/2 module which will make your sites faster and more robust:

sudo a2enmod http2.

Reload the Apache configuration for changes to take effect:

sudo systemctl reload apache2

Now, we can run Certbot tool with the webroot plugin and obtain the SSL certificate files by typing:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

If the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-10-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now that you have the certificate files, edit your domain virtual host configuration as follows:/etc/apache2/sites-available/example.com.conf

<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

  # Other Apache Configuration

</VirtualHost>

With the configuration above we are forcing HTTPS and redirecting from www to non www version. Fell free to adjusts the configuration according to your needs.

Reload the Apache service for changes to take effect:

sudo systemctl reload apache2

You can now open your website using https:// and you’ll notice a green lock icon.

aghouchaf

 Previous Article How to install Couchbase Server on Ubuntu 18.04
Next Article   How to Install and configure Let’s Encrypt with NginX on Ubuntu 16.04 and 18.04

Related Posts

  • Create a Self-Signed SSL Certificate using Apache2 in Ubuntu 18.04

    January 13, 2019
  • Setup Nginx HTTP Server Self-Signed SSL/TLS Certificates on Ubuntu16.04 or 18.04

    December 30, 2018
  • How to Redirect HTTP to HTTPS on Apache2

    How to Redirect HTTP to HTTPS on Apache2

    December 30, 2018

Leave a Reply

Cancel reply

Recent Posts

  • Create a Self-Signed SSL Certificate using Apache2 in Ubuntu 18.04
  • How to install Google Chrome browser on Ubuntu 18.04
  • (no title)
  • Setup Nginx HTTP Server Self-Signed SSL/TLS Certificates on Ubuntu16.04 or 18.04
  • How to Redirect HTTP to HTTPS on Apache2

Recent Comments

    Archives

    • January 2019
    • December 2018
    • March 2014

    Categories

    • Apache
    • Browser
    • centos
    • couchbase
    • Databases
    • debian
    • DevOps
    • How To
    • linux
    • network
    • nginx
    • Security
    • ssh
    • ssl
    • tls
    • Web

    Meta

    • Log in
    • Entries RSS
    • Comments RSS
    • WordPress.org
    Advertisement
    • Popular Posts
    • Recent Posts
    • Create a Self-Signed SSL Certificate using Apache2 in Ubuntu 18.04 January 13, 2019
    • Blog Post with Right Sidebar March 16, 2014
    • What DevOps Means? December 26, 2018
    • DevOps practices that you must implement in 2019 December 26, 2018
    • Create a Self-Signed SSL Certificate using Apache2 in Ubuntu 18.04 January 13, 2019
    • How to install Google Chrome browser on Ubuntu 18.04 January 4, 2019
    • December 31, 2018
    • Setup Nginx HTTP Server Self-Signed SSL/TLS Certificates on Ubuntu16.04 or 18.04 December 30, 2018

    Categories

    • Apache (6)
    • Browser (1)
    • centos (1)
    • couchbase (1)
    • Databases (1)
    • debian (2)
    • DevOps (2)
    • How To (7)
    • linux (4)
    • network (1)
    • nginx (2)
    • Security (9)
    • ssh (1)
    • ssl (3)
    • tls (2)
    • Web (6)
    February 2019
    M T W T F S S
    « Jan    
     123
    45678910
    11121314151617
    18192021222324
    25262728  

    Tags

    apache web

    Social Media

    • Connect on Facebook
    • Connect on Twitter
    • Connect on Google+
    • Connect on Pinterest

    Tags

    apache web

    Archives

    • January 2019 (2)
    • December 2018 (15)
    • March 2014 (2)

    Random Posts

    • Top 10 OpenSSH Server Best Security Practices (part 1) December 28, 2018
    • Protecting Apache Server From Denial-of-Service (Dos) Attack December 28, 2018

    © Copyright 2014. http://tutorials-space.com.