Add SSL/TLS to Apache with “Let’s Encrypt”

Everyone would love to see that lovely green lock next to your website’s URL and that glorious “https” mark, which makes us all feel warm and fuzzy inside, right? No problem. Thank’s to “Let’s Encrypt” you can now make it happen fast and free. Let’s build together a better internet.

This tutorial is to set up the certificate on an Apache Web Server

Get the client

First of all we will download the “Let’s encrypt” client. That is right. They made a client-side app, to make it extra easy for you. So we will save it under /opt, which seems to be the standard directory to place 3rd-party software, or so I am told.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Set up the certificate

Keep in mind how many domains you want to support with a single certificate. For instance, this blog should work only with the URL https://enriquemorenotent.com, but it could also be set to work with https://www.enriquemorenotent.com which means that we have 2 domains to support:

  • enriquemorenotent.com
  • www.enriquemorenotent.com
cd /opt/letsencrypt
./letsencrypt-auto --apache -d enriquemorenotent.com -d www.enriquemorenotent.com

Notice how I add a -d for every domain I want to support. It is important that the first domain is the base domain.

After a few questions like email address and others, you will be all set!

Renew your certificate automatically

The certificates from Let’s Encrypt only last 3 months. But updating them is quite easy. Just download the following script and install it

sudo curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew
sudo chmod +x /usr/local/sbin/le-renew

Now all you have to do is run

sudo le-renew enriquemorenotent.com

and the cerfiticate will update (or it will tell you that is too soon for it).

We can make this task automatic using crontab:

crontab -e
30 2 * * 1 /usr/local/sbin/le-renew enriquemorenotent.com >> /var/log/le-renew.log

This will run every Monday at 2:30 am the script, updating the certificate if necessary

Update the client

Remember that the client you cloned with git might be in development, so every now and then it might not be a bad idea to do this:

cd /opt/letsencrypt
sudo git pull

Just to make sure we are using the latest version 😉

Based on this tutorial

Leave a Reply

Your email address will not be published. Required fields are marked *