FREE SSL using Apache HTTP Server on Ubuntu 14.04

In this blog I am going to go into detail about how to set-up FREE SSL using Apache HTTP Server.

I am going to explain in detail for Ubuntu 14.04 and Apache 2.4.18, but on the home page of the certbot website you get an option to select your OS and web-server.  After you select these it gives you a tailored install guide for your specific OS.

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web-server, the best thing of all it is free!

Ubuntu doesn’t have a packaged version of certbot so we need to use the delivered automatic scripts so firstly we need to get these as root to a temp area and change permissions as follows

Now what we (were) supposed to do next is issue the below command

This should have automatically installed the certificates using the Apache plugin but it failed for me with the below error (you may want to try it see if it works for you)

Fortunately there is another method to do this using ‘webroot’ which

Obtains a cert by writing to the webroot directory of an already running webserver.

So I will go through that method.

Firstly we initiate certbot again for the webroot method, now here you have to provide the path to the document root of the installation you are trying to create the keys for (in my case WordPress)

Next we are prompted to enter an email address for lost keys etc, it is highly advisable to do this

Hit enter and again to agree to the terms and conditions, then we are prompted to enter our domain details (ensure you enter this correctly)

Upon completion all the keys generated by cerbot should reside in the /etc/letsencrypt/live/{your domain} location, there should be 4 files, and I will explain how these correspond to the Apache settings we need to set

File Apache Parameter Purpose
privkey.pem (1) SSLCertificateKeyFile Private key for the cert. Never share with anyone!
cert.pem (2) SSLCertificateFile Server certificate only
chain.pem (3) SSLCertificateChainFile All certificates need served excl. Server Cert.
fullchain.pem (4) SSLCertificateFile All certificate including the Server Cert

All you need to do now is update the corresponding Apache parameters with the location and name of the key files you have generate.

Apache < 2.48 you need 1, 2 and 3 from the above table.
Apache >= 2.48 you only need 1 and 4

You need to place these parameters in all the SSL virtual hosts you requested a certificate for above.

Also ensure you have the SSL listen commands running.

Once you restart the Apache you should now be able to test https.

Updating the certificates

The certificates from certbot last 90 days, but updating them is really straight forward just one command as we already have the parameters present.

The command is

One final piece is I then like to divert all my http traffic through the secure https protocol, this is also fairly straight forward, you just modify/create your .htaccess file in your web server root directory and add the below lines.

Hopefully SSL is now working for you and you know how to renew your certificate in 90 days – Enjoy!

UPDATE

I got a grumpy email from Google today about having a user generated SSL/TLS key on my site! I was just wondering does anyone know if it negatively affects Googles rankings? I can’t seem to find a clear answer.

Paul H

IT consultant with 20+ years experience specialising in Oracle Database, Oracle Business Intelligence, Web/Mobile development, Application Express development, cloud technology and more

Leave a Reply

Your email address will not be published. Required fields are marked *