How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 16.04
SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial will show you how to set up TLS/SSL certificates from Let’s Encrypt for securing multiple virtual hosts on Apache. We will also cover how to automate the certificate renewal process using a cron job.
In order to complete this guide, you will need:
- One 16.04 server with a non-root sudo user and a firewall, which you can set up by following our Initial Ubuntu 16.04 server setup tutorial guide
- The Apache web server installed and hosting multiple virtual hosts, each with their own config file, which you can set up by following this Apache virtual hosts tutorial.
For the purpose of this guide, we will install Let’s Encrypt certificates for the domains
test.com. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.
Step 1 — Installing the Let’s Encrypt Client
Let's Encrypt certificates are fetched via client software running on your server. The official client is called Certbot, and its developers maintain their own Ubuntu software repository with up-to-date versions. Because Certbot is in such active development it's worth using this repository to install a newer version than Ubuntu provides by default.
First, add the repository:
- sudo add-apt-repository ppa:certbot/certbot
You'll need to press
ENTER to accept. Afterwards, update the package list to pick up the new repository's package information:
- sudo apt-get update
And finally, install Certbot from the new repository with
- sudo apt-get install python-certbot-apache
certbot Let's Encrypt client is now ready to use. Next, we'll create the certificates.
Step 2 — Setting Up the Certificates
Generating the SSL certificate for Apache is straightforward. Certbot will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Note: It's possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different. However, it's recommended that you create separate certificates for unique domain names.
As such, you'll need to follow this step multiple times (once for each virtual host). As a general rule of thumb, only subdomains of a particular domain should be bundled together.
The following command takes a comma-separated list of domain names as parameters after the
-d flag. The first domain name listed is the base domain used by Certbot to create the certificate. For this reason, we recommend that you pass the bare top-level domain name first, followed by any additional subdomains or aliases.
Start the interactive installation for
example.com to create a bundled certificate for that domain:
- sudo certbot --apache -d example.com
You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both
https access or forcing all requests to redirect to
https. It's more secure to force
https, so you should choose that unless you have a specific need to allow both.
When the installation is finished, you will be able to find the generated certificate files at
/etc/letsencrypt/live. You can verify the status of your SSL certificate at
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest, and you can now access your website using a
Remember to follow this step again for every domain you're using. Once you've done that, the next step is setting the certificates to renew automatically.
Step 3 — Setting Up Auto-Renewal
Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We'll need to set up a regularly run command to check for expiring certificates and renew them automatically.
To run the renewal check daily, we will use
cron, a standard system service for running periodic jobs. We tell
cron what to do by opening and editing a file called a
- sudo crontab -e
Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following line at the end of the file, then save and close it:
. . . 15 3 * * * /usr/bin/certbot renew --quiet
15 3 * * * part of this line means "run the following command at 3:15 am, every day". You may choose any time.
renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days.
--quiet tells Certbot not to output information nor wait for user input.
cron will now run this command daily. Because we installed our certificates using the
--apache plugin, Apache will also be reloaded to ensure the new certificates are used.
In this guide, we saw how to install free SSL certificates from Let’s Encrypt in order to secure multiple virtual hosts on Apache. We recommend that you check the official Let’s Encrypt blog for important updates from time to time.