Created December 27, 2019 04:16
Apache2 + Let's encrypt + Ubuntu

How to setup Let's Encrypt for Apache on Ubuntu 16.04

In the following, we're setting up

Challenges are served from /var/www/letsencrypt.

Apache snippets

Create a file /etc/apache2/snippets/ssl.conf containing:

SSLEngine 					on
SSLCertificateFile    		/etc/letsencrypt/live/
SSLCertificateKeyFile 		/etc/letsencrypt/live/
SSLCertificateChainFile 	/etc/letsencrypt/live/

Header always 	set 	Strict-Transport-Security "max-age=15768000"
RequestHeader 	append 	"X-Forwarded-Proto" "https"
RequestHeader 	set 	"X-Forwarded-Ssl" "on"

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

Create the folder for the challenges:

sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Apache virtual hosts (HTTP-only)

We don't have a certificate yet at this point, so the domain will be served only as HTTP.

Create a file /etc/apache2/sites-available/mydomain.conf containing:

<VirtualHost *:80>
        <fill in the rest here>
        Include /etc/apache2/snippets/letsencrypt.conf

<VirtualHost *:443>
        <fill in the rest here>

Enable the site:

rm /etc/apache2/sites-enabled/default # I bet this was done already
ln -s /etc/apache2/sites-available/mydomain.conf /etc/apache2/sites-enabled/mydomain.conf

And reload Apache:

sudo service apache2 reload


Install the package:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Note: there is also a letsencrypt package in APT, but it's a much older version of the client.

Get the certificate

Request the certificate (don't forget to replace with your own email address):

certbot certonly --webroot --agree-tos --no-eff-email --email YOUR@EMAIL.COM --config-dir /etc/letsencrypt --logs-dir /var/log/letsencrypt -w /var/www/letsencrypt -d -d

It will save the files in /etc/letsencrypt/live/

Note: The flag --no-eff-email opts out of signing up for the EFF mailing list, remove the flag if you'd like to signup.

Apache virtual hosts (HTTPS-only)

Now that you have a certificate for the domain, switch to HTTPS by editing the file /etc/apache2/sites-available/mydomain.conf and replacing contents with:

<VirtualHost *:80>
        <fill in the rest here>
        Include /etc/apache2/snippets/letsencrypt.conf
        Redirect permanent /

<VirtualHost *:443>
        <fill in the rest here>
        Include /etc/apache2/snippets/ssl.conf

Then reload Apache:

sudo service apache2 reload

Automatic renewal using Cron

According to EFF:

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.

Hence, you don't need to worry about creating a cronjob for renewal.

Nevertheless, you can test the renewal by running:

certbot renew --dry-run


Congratulations, you should now be able to see your website at

You can now also test that your domain has A+ SLL rating:

I would also recommend setting up content-specific features like Content Security Policy and Subresource Integrity:

If Let's Encrypt is useful to you, consider donating to Let's Encrypt or donating to the EFF.

Note: Copied and modified from

