Improving your website security through encryption, even on the most basic servers, can increase your visitors’ trust in your site and your ability to run it. Setting up encryption on your web host has generally been complicated and expensive, which often deters administrators whose web applications might not depend on user input. Let’s Encrypt aims to change this by making implementing encryption on any website easier. They are an open and free project that allows obtaining and installing of certificates through simple, automated, commands.

Let's Encrypt Project Logo

Let’s Encrypt is a new Certificate Authority capable of issuing certificates cross-signed by IdentTrust, which allows their end certificates to be accepted by all major browsers. This guide outlines the steps for installing their letsencrypt client version 0.4.1-1 and how to use it to manage certificates on Ubuntu 16.04 cloud server running Apache2.

Installing Let’s Encrypt client

Let’s Encrypt greatly simplifies server management by automating obtaining certificates and configuring web services to use them. The client is fully-featured and extensible for the Let’s Encrypt Certificate Authority or any other CA that uses the ACME protocol.

The client is available with the Ubuntu package manager and can be installed with the following command. You will naturally also need Apache2 itself which is also included below.

sudo apt-get install apache2 python-letsencrypt-apache

Once installed, you can use the next command to see test the client is working correctly.

letsencrypt --help

Given that the help command works, you are ready to continue on with obtaining and installing a certificate.

Obtaining a certificate

Let’s Encrypt validates the domain it is installed on similarly to a traditional CA process by identifying the server administrator via a public key. The client generates a new key pair when interacting with the Let’s Encrypt servers for the first time, and then aims to prove to the CA that the host has control over a particular domain by at least one of the two following ways:

  • Provisioning a DNS record under the domain in question
  • Provisioning an HTTP resource under a well-known URI on the domain

On top of one of the two challenges, the client also must sign a nonce with its private key to prove it controls that key pair.

To help the Let’s Encrypt client accomplish these tasks it supports a number of plugins that can be used to obtain or install certificates. With Apache2 you can use the Apache plugin. The plugin automates both obtaining and installing certificates on an Apache web server. To use this plugin on the command line, simply include the flag --apache.

Begin the process with the next command.

sudo letsencrypt --apache

This starts an interactive installation script which will ask a couple of questions to setup the certificate correctly.

  1. If you do not have a pre-existing configuration file, select Yes to use the default vhost and specify the settings manually.
  2. Enter the domain name hosted on the server you are installing the certificate on. If you have multiple domains on the same server, write them all here separated by a comma.
  3. On the first installation on any specific host, you will need to enter a contact email.
  4. Next, go through the Let’s Encrypt Terms of Service and select Agree if you accept the terms and wish to use the service.
  5. Then select whether you wish to use both HTTP and HTTPS or to require all traffic to use encryption by highlighting either Easy or Secure option and selecting OK.
  6. If everything worked correctly you’ll get a message that HTTPS was successfully enabled and a link pointing to SSL Labs test site.

Click the SSL Labs link to run a test on your server or use the URL below by replacing the example.upcloud.com with your domain.

https://www.ssllabs.com/ssltest/analyze.html?d=example.upcloud.com

Qualys SSL Labs Apache test

Note that as Let’s Encrypt is still in development they have set certain rate limits for issuing certificates to protect the service against both accidental and intentional abuse. You can check further details and documentation at Let’s Encrypt community site.

If you are having problems using the client, make sure you are trying to register a domain or subdomain that currently resolves to that host. Also, check that you have the administrative privileges to run the commands and that Apache is working correctly.

Renewing a certificate

At the end of the certificate installation script output, you will see the certificate’s expiration date which is usually 3 months from the day you installed it. Renewing a certificate is as easy as running a single command.

You can test the renewal process with the following command.

sudo letsencrypt renew --dry-run --agree-tos

If the test succeeded without issues, you can actually renew the certificate by leaving out the additional parameters.

sudo letsencrypt renew

Once the renewal is complete, reload your web service to update the configuration with the next command.

sudo service apache2 reload

Your certificate is now again valid for another 3 months.

The client will only request a renewal if the current certificate is about to expire. This can be useful for automating the process by creating a renew script similar to the example below.

sudo nano /etc/cron.daily/letsencrypt-renew
#!/bin/sh
if letsencrypt renew > /var/log/letsencrypt/renew.log 2>&1 ; then
   /etc/init.d/apache2 reload > /dev/null 2>&1
fi
exit
sudo chmod +x /etc/cron.daily/letsencrypt-renew

The example script runs the renewal while directing the output to a log file, then checks if it was successful, and finally reloads Apache to complete the renewal.

You can automate the script, for example, using Cron job. Open the root user crontab for edit with the command underneath.

sudo crontab -e

Include a line similar to the example below in the crontab file, then save and exit.

01 02,14 * * * /etc/cron.daily/letsencrypt-renew

Let’s Encrypt recommends setting the automated renewal script to run twice a day on a random minute within the hour. The above example runs on 02:01 and 14:01 but you can select any time slot you wish.

Revoking a certificate

If you wish to remove a certificate from your server it can be revoked using a subcommand with Let’s Encrypt client. The command below can be used to revoke a particular certificate. Replace the <domain_namewith the domain which certificate you wish to revoke.

letsencrypt revoke --cert-path /etc/letsencrypt/live/<domain_name>/cert.pem

The process does not give a confirmation upon completion, but if you perform it again you will get a message that the certificate has already been revoked.

Other plugins

In most cases simply installing and renewing your certificates as instructed above is enough, but the Let’s Encrypt client also supports some additional plugins for managing your certificates. This guide focuses on installing the certificate using the Apache plugin, though Let’s Encrypt also works just as well with other web servers software. Nginx setup automation is currently experimental and the plugin is not installed with letsencrypt automatically, but can still be used to install certificates manually on servers running Nginx. Check out our other guide for How to Install Let’s Encrypt on Nginx. You can also find out about other supported options in the documentation for Let’s Encrypt.