In this tutorial, I want to show how you can configure apache2 to use SSL by requesting a certificate from letsecrypt via Certbot.

Requirements 🔗

• A server with apache2 installed
• A domain/subdomain set to the IP-Adress of the server

I’ve decided for pmcp.bga.sh to be my domain, 135.181.250.202 is the IP of the server.

Installing certbot 🔗

Certbot is available in most linux distributions, we will also install the package to automatically obtain, verify and install a certificate for apache2.

$ sudo apt install certbot python3-certbot-apache

After install certbot, we need to execute only one command for everything to work:

$ certbot --apache -d pmcp.bga.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): me@bennetgallein.de

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for pmcp.bga.sh

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pmcp.bga.sh/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/pmcp.bga.sh/privkey.pem
This certificate expires on 2024-10-31.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for pmcp.bga.sh to /etc/apache2/sites-available/000-default-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://pmcp.bga.sh

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

and our certificate is successfully created. If we now reload the page, we should see that http is redirected to https and the page isn’t flagged as unsecure any more.

Renewal 🔗

Certbot auto-installs a timer into the operating system, so that certificates should be auto-renewed. You can verify this by listing all the timers:

$ systemctl systemctl list-timers --all
NEXT                        LEFT           LAST PASSED UNIT                         ACTIVATES                     
Fri 2024-08-02 16:19:41 UTC 3min 30s left  -    -      systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sat 2024-08-03 00:00:00 UTC 7h left        -    -      dpkg-db-backup.timer         dpkg-db-backup.service
Sat 2024-08-03 00:00:00 UTC 7h left        -    -      logrotate.timer              logrotate.service
Sat 2024-08-03 01:36:59 UTC 9h left        -    -      apt-daily.timer              apt-daily.service
Sat 2024-08-03 05:31:05 UTC 13h left       -    -      man-db.timer                 man-db.service
Sat 2024-08-03 06:12:09 UTC 13h left       -    -      apt-daily-upgrade.timer      apt-daily-upgrade.service
Sat 2024-08-03 09:06:59 UTC 16h left       -    -      certbot.timer                certbot.service
Sun 2024-08-04 03:10:06 UTC 1 day 10h left -    -      e2scrub_all.timer            e2scrub_all.service
Mon 2024-08-05 01:03:50 UTC 2 days left    -    -      fstrim.timer                 fstrim.service

or checking the certbot.timer directly:

$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; preset: enabled)
     Active: active (waiting) since Fri 2024-08-02 16:13:15 UTC; 3min 21s ago
    Trigger: Sat 2024-08-03 08:09:59 UTC; 15h left
   Triggers: ● certbot.service

Aug 02 16:13:15 debian-4gb-hel1-2 systemd[1]: Started certbot.timer - Run certbot twice daily.