Preparing your server for SSL
If you are installing SSL and Let’s Encrypt on Ubuntu for the first time, you should first enable SSL on your apache install. If you don’t you will get this error message:
SSLCertificateFile: file '/etc/apache2/insert_cert_file_path' does not exist or is empty
First enable SSL:
sudo a2enmod ssl sudo service apache2 restart
Installing Let’s Encrypt
Now you can install Let’s Encrypt:
sudo apt-get update sudo apt-get install letsencrypt python-letsencrypt-apache
Note for Ubuntu 16
There are issues on Ubuntu 16 getting certs installed if you use the packages. The error I saw was:
AuthorizationError: Client does not support any combination of challenges that will satisfy the CA.
I updated Certbot using the details documented here: https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache and this corrected the errors.
Generating a certificate
Now we can generate and install the SSL certificate. This example generates the certificate and installs it for example.com:
sudo letsencrypt --apache -d example.com
If you want to have subdomains, or a bare level base domain, which I recommend because lots of people forget to type the www part, you can use this to make the certificate:
sudo letsencrypt --apache -d example.com -d www.example.com
This means that your certificate will work for both https://example.com and https://www.example.com.
Finally, you’ll want to test that your site works on SSL. Validate it using SSL labs:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
Keeping your certificate updated
Lets encrypt only generates certificates for 90 days, so you need to renew them periodically. It’s recommended that the certificates are renewed every 60 days to allow a margin of error. The Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. This is run as follows:
sudo letsencrypt renew
You’ll see output that looks like this:
Processing /etc/letsencrypt/renewal/example.com.conf The following certs are not due for renewal yet: /etc/letsencrypt/live/example.com/fullchain.pem (skipped) No renewals were attempted.
It’s best if you run this via cron to make sure that it’s automatically updated.
The easiest way to do this is to run this command:
sudo echo "0 3 * * 1 /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log" >>/etc/crontab
This will check every Monday at 3am if certificates need renewing and update them as needed and leave a logfile of the output.