How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 16.04
SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial will show you how to set up TLS/SSL certificates from Let’s Encrypt for securing multiple virtual hosts on Apache. We will also cover how to automate the certificate renewal process using a cron job.
In order to complete this guide, you will need:
- One 16.04 server with a non-root sudo user and a firewall, which you can set up by following our Initial Ubuntu 16.04 server setup tutorial guide
- The Apache web server installed and hosting multiple virtual hosts, which you can set up by following this Apache virtual hosts tutorial
For the purpose of this guide, we will install Let’s Encrypt certificates for the domains
test.com. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.
Step 1 — Installing the Let’s Encrypt Client
First, we will download the Let’s Encrypt client from the official repositories. Although the Let's Encrypt project has renamed their client to Certbot, the client included in the Ubuntu 16.04 repositories is simply called
Update the server's local package indexes and install the client.
- sudo apt-get update
- sudo apt-get install python-letsencrypt-apache
letsencrypt client is now installed, so next, we'll create the certificates.
Step 2 — Setting Up the Certificates
Generating the SSL certificate for Apache using the Let’s Encrypt client is straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Note: It's possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different. However, it's recommended that you create separate certificates for unique domain names.
As such, you'll need to follow this step multiple times (once for each virtual host). As a general rule of thumb, only subdomains of a particular domain should be bundled together.
The following command takes a list of domain names as parameters after the
-d flag. The first domain name listed is the base domain used by Let’s Encrypt to create the certificate. For this reason, we recommend that you pass the bare top-level domain name first, followed by any additional subdomains or aliases.
Start the interactive installation for
example.com to create a bundled certificate for that domain.
- sudo letsencrypt --apache -d example.com
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both
https access or forcing all requests to redirect to
When the installation is finished, you will be able to find the generated certificate files at
/etc/letsencrypt/live. You can verify the status of your SSL certificate at
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest, and you can now access your website using a
Remember to follow this step again for every domain you're using. Once you've done that, the next step is setting the certificates to renew automatically.
Step 3 — Setting Up Auto-Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s good practice to renew the certificates every 60 days to allow for a margin of error. The Let's Encrypt client has a
renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
Trigger the renewal process for all installed domains with
- sudo letsencrypt renew
Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:
OutputProcessing /etc/letsencrypt/renewal/example.com.conf Processing /etc/letsencrypt/renewal/test.com.conf The following certs are not due for renewal yet: /etc/letsencrypt/live/example.com/fullchain.pem (skipped) /etc/letsencrypt/live/test.com/fullchain.pem (skipped) No renewals were attempted.
Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.
Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:
- sudo crontab -e
You may be prompted to select an editor:
Outputno crontab for root - using an empty one Select an editor. To change later, run 'select-editor'. 1. /bin/ed 2. /bin/nano <---- easiest 3. /usr/bin/vim.basic 4. /usr/bin/vim.tiny Choose 1-4 :
Choose your favorite editor, then append the following content at the end of the crontab, all in one line:
crontab. . . 30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
This will create a new cron job that will execute the
letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at
/var/log/le-renewal.log. For more information on how to create and schedule cron jobs, you can check the How to Use Cron to Automate Tasks in a VPS guide.
Now just save and exit the crontab to finish the setup.
In this guide, we saw how to install free SSL certificates from Let’s Encrypt in order to secure multiple virtual hosts on Apache. We recommend that you check the official Let’s Encrypt blog for important updates from time to time.