How To Secure Apache with Let's Encrypt on Ubuntu

Introduction

How to unafraid Apache pinch Let’s Encrypt connected Ubuntu: you install Certbot, constituent Apache astatine your domain pinch a virtual host, tally sudo certbot --apache, past harden TLS and corroborate automatic renewal. When you finish, visitors scope your tract complete HTTPS pinch a trusted certificate from Let’s Encrypt, a nonprofit certificate authority operated by the Internet Security Research Group (ISRG).

Let’s Encrypt issues free domain-validated (DV) TLS certificates. Certbot is the recommended ACME customer connected Ubuntu. It requests the certificate, proves you control the domain, and updates Apache for HTTPS.

This tutorial is for Ubuntu 22.04 LTS, 24.04 LTS (Noble Numbat), and 26.04 LTS (Resolute Raccoon) pinch Apache 2.4. You usage a dedicated virtual host record (not the default tract alone). If you still tally Ubuntu 20.04, spot the Ubuntu 20.04 type of this tutorial.

Version note: Commands were checked against Ubuntu 22.04, 24.04, and 26.04 LTS pinch Apache from the default repositories. Ubuntu 26.04 LTS shipped successful April 2026. Certbot installs done snap per EFF instructions, not the older apt instal certbot path. Renewal uses a systemd timer (often snap.certbot.renew.timer connected threat installs).

Key takeaways

• Install Certbot pinch sudo threat instal --classic certbot and link /snap/bin/certbot into your PATH.
• Apache needs correct ServerName and ServerAlias successful a virtual host before you tally sudo certbot --apache.
• Open HTTPS successful UFW pinch sudo ufw let 'Apache Full' and region the plain Apache floor plan if it is redundant.
• Let’s Encrypt certificates are valid for 90 days. Certbot renews erstwhile a cert is wrong 30 days of expiry.
• Harden TLS successful /etc/apache2/mods-available/ssl.conf aliases a civilization conf file: disable TLS 1.0/1.1, alteration OCSP stapling, and adhd HSTS with mod_headers.
• Test renewal pinch sudo certbot renew --dry-run and inspect /var/log/letsencrypt/letsencrypt.log if thing fails.
• Rate limits apply: spot Let’s Encrypt complaint limits (for example, 50 certificates per registered domain per week).
• On Ubuntu 26.04 LTS, the aforesaid snap-based Certbot and Apache paths apply. Confirm versions pinch lsb_release, apache2 -v, and openssl version.

How Let’s Encrypt certificate issuance works

Here is simply a simplified travel of really Let’s Encrypt certificate issuance works:

Figure: Serving HTTPS, first-time certificate issuance pinch Certbot, and automatic renewal connected Ubuntu.

1. Your browser requests https://your_domain.
2. Apache presents the certificate from /etc/letsencrypt/live/your_domain/.
3. When you first tally Certbot, it places a impermanent situation record aliases uses an Apache plugin to beryllium domain power connected port 80.
4. Let’s Encrypt’s ACME API issues the certificate. Certbot stores keys connected your server (Let’s Encrypt ne'er holds your backstage key).
5. A systemd timer runs certbot renew doubly per time and renews certs before they expire.

Port 80 must scope your server for HTTP-01 validation unless you usage a DNS plugin for wildcards.

Prerequisites

To travel this tutorial, you need:

• One Ubuntu 22.04, 24.04, aliases 26.04 LTS server pinch a non-root sudo personification and a firewall. See Initial Server Setup pinch Ubuntu. On DigitalOcean Droplets, pick a 26.04 LTS image erstwhile you create the VM if you want the newest LTS.
• A registered domain. This guideline uses your_domain arsenic a placeholder.
• DNS A records for your_domain and www.your_domain pointing to your server’s nationalist IP. See DigitalOcean DNS.
• Apache installed with a virtual host at /etc/apache2/sites-available/your_domain.conf.
• Optional: UFW configured.

Verify your environment

Run these checks connected the server earlier you instal aliases renew certificates. They help you corroborate you are connected a supported LTS merchandise and that Apache is ready.

Check the Ubuntu release:

1. lsb_release -ds

You should spot Ubuntu 22.04.x LTS, Ubuntu 24.04.x LTS, aliases Ubuntu 26.04.x LTS.

Confirm Apache is installed and statement the type (package numbers alteration with security updates):

1. apache2 -v

Example first statement connected existent LTS images:

Server version: Apache/2.4.58 (Ubuntu)

Your output whitethorn disagree connected 22.04 aliases 26.04. Compare with Ubuntu package search for your suite (jammy, noble, aliases resolute).

Confirm OpenSSL (TLS 1.2 and 1.3 request OpenSSL 1.1.1 aliases newer; 22.04+ ships OpenSSL 3.x):

1. openssl version

Confirm Apache is active:

1. sudo systemctl is-active apache2

You want active. If Apache is not installed, follow How To Install the Apache Web Server connected Ubuntu 22.04 first. The aforesaid apt instal apache2 travel applies connected 24.04 and 26.04.

I person not pinned an nonstop Apache package revision for 26.04 present because security updates alteration the build string. Always spot apache2 -v connected your VM.

Step 1: Installing Certbot

On Ubuntu 22.04, 24.04, and 26.04, the Certbot squad recommends the snap package complete the default apt Certbot packages.

Install snapd and Certbot

Update packages and instal snapd (on minimal images snapd whitethorn already be present connected Ubuntu 26.04 unreality images):

1. sudo apt update
2. sudo apt install snapd -y

Refresh the threat halfway runtime earlier installing Certbot (recommended connected new 22.04, 24.04, and 26.04 servers):

1. sudo threat install core
2. sudo threat refresh core

Remove immoderate older Certbot packages from apt truthful the threat binary is used:

1. sudo apt region certbot python3-certbot-apache 2>/dev/null || true

Install Certbot from snap:

1. sudo threat install --classic certbot

Prepare the certbot bid (EFF documents this symlink):

1. sudo ln -sf /snap/bin/certbot /usr/bin/certbot

Confirm the version:

1. certbot --version

You should spot a Certbot type string. The nonstop number changes arsenic snap updates the package.

Confirm the threat provides the Apache plugin and renewal timer:

1. sudo certbot plugins

Look for an apache plugin successful the list.

1. snap database certbot
2. systemctl list-timers --all | grep -i certbot

On threat installs you often spot snap.certbot.renew.timer aft the first successful certbot --apache run.

Ubuntu 26.04 LTS notes

Ubuntu 26.04 LTS (Resolute Raccoon) uses the aforesaid paths arsenic 22.04 and 24.04: /etc/apache2/, a2ensite, apachectl configtest, and UFW Apache Full. Certbot still stores certificates nether /etc/letsencrypt/.

If certbot runs the incorrect binary, cheque which transcript answers:

1. which -a certbot

Remove leftover apt packages and support the symlink astatine /usr/bin/certbot pointing to /snap/bin/certbot.

Step 2: Checking your Apache virtual big configuration

Certbot sounds ServerName and ServerAlias from your virtual big to know which names to see connected the certificate.

Open your tract file:

1. sudo nano /etc/apache2/sites-available/your_domain.conf

Confirm these lines beryllium wrong the <VirtualHost *:80> block:

ServerName your_domain ServerAlias www.your_domain

Enable the tract and required modules if you person not already:

1. sudo a2ensite your_domain.conf
2. sudo a2enmod ssl
3. sudo systemctl reload apache2

Test syntax earlier each reload:

1. sudo apachectl configtest

You want Syntax OK. Fix typos, past reload:

1. sudo systemctl reload apache2

Step 3: Allowing HTTPS done the firewall

If UFW is active, let HTTP and HTTPS pinch the Apache Full application profile.

Check existent rules:

1. sudo ufw status

If only Apache (port 80) is allowed, adhd the afloat profile:

1. sudo ufw let 'Apache Full'

Remove the narrower floor plan erstwhile it is redundant:

1. sudo ufw delete let 'Apache'

Verify:

1. sudo ufw status

Renewal uses HTTP-01 connected larboard 80. Keep larboard 80 unfastened moreover aft HTTPS works.

Step 4: Obtaining an SSL certificate

Run Certbot pinch the Apache plugin:

1. sudo certbot --apache

Certbot prompts for:

1. An email reside for renewal and information notices.
2. Agreement to the Let’s Encrypt Subscriber Agreement.
3. Optional EFF mailing database signup.
4. Which hostnames to see (often some your_domain and www.your_domain).

Example successful output (dates and paths will disagree connected your server):

Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem This certificate expires connected YYYY-MM-DD. These files will beryllium updated erstwhile the certificate renews. Certbot has group up a scheduled task to automatically renew this certificate successful the background. Deploying certificate Successfully deployed certificate for your_domain to /etc/apache2/sites-available/your_domain-le-ssl.conf Successfully deployed certificate for www.your_domain to /etc/apache2/sites-available/your_domain-le-ssl.conf Congratulations! You person successfully enabled HTTPS connected https://your_domain and https://www.your_domain

Visit https://your_domain successful a browser. You should spot a fastener icon for a valid certificate.

Certificate record locations

Files nether live/ are symlinks. Certbot updates them connected renewal.

For inheritance connected keys and CSRs, see OpenSSL Essentials.

Test pinch SSL Labs

Run the SSL Labs Server Test against your domain aft hardening (Step 5) for an outer grade.

Step 5: Hardening TLS and HTTP information headers

Certbot enables HTTPS. You should still disable aged protocols and adhd security headers.

Enable headers module

1. sudo a2enmod headers

Configure SSL protocols and ciphers

Edit the SSL module configuration:

1. sudo nano /etc/apache2/mods-available/ssl.conf

Add aliases update these directives wrong the record (comments explicate each line):

# Allow TLS 1.2 and 1.3 only. Drop SSLv3, TLS 1.0, and TLS 1.1. SSLProtocol each -SSLv3 -TLSv1 -TLSv1.1 # Prefer modern AEAD ciphers. Apache negotiates the champion lucifer pinch clients. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 # Let the customer prime the cipher bid (recommended for TLS 1.3). SSLHonorCipherOrder off # OCSP stapling: Apache attaches revocation position to the handshake. SSLUseStapling on SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"

Ubuntu 24.04 commonly ships Apache 2.4.58 successful the default repos. Ubuntu 22.04 ships 2.4.52 aliases newer. On 26.04, tally apache2 -v and cheque the resolute suite connected packages.ubuntu.com for the existent package revision.

Add HSTS and related headers

Edit the SSL virtual big Certbot created (name whitethorn extremity successful -le-ssl.conf):

1. sudo nano /etc/apache2/sites-available/your_domain-le-ssl.conf

Inside <VirtualHost *:443>, add:

# Tell browsers to usage HTTPS for 1 year, including subdomains. Header ever group Strict-Transport-Security "max-age=31536000; includeSubDomains" # Reduce MIME sniffing attacks. Header ever group X-Content-Type-Options "nosniff" # Limit embedding successful frames (adjust if you request iframes). Header ever group X-Frame-Options "SAMEORIGIN"

Test and reload:

1. sudo apachectl configtest
2. sudo systemctl reload apache2

Certbot often adds an HTTP to HTTPS redirect. Confirm http://your_domain redirects to https://. For redirect patterns, see How To Create Temporary and Permanent Redirects pinch Apache.

Step 6: Verifying automatic certificate renewal

Let’s Encrypt certificates expire aft 90 days. Certbot installs a systemd timer that runs renewal checks doubly per day.

Check the timer (snap installs often usage this portion name):

1. sudo systemctl position snap.certbot.renew.timer

If that portion is missing, try:

1. sudo systemctl position certbot.timer

List each Certbot timers:

1. systemctl list-timers | grep -i certbot

Run a barren run:

1. sudo certbot renew --dry-run

Example occurrence message:

Congratulations, each simulated renewals succeeded: /etc/letsencrypt/live/your_domain/fullchain.pem (success)

If renewal fails

1. Read sudo little /var/log/letsencrypt/letsencrypt.log.
2. Confirm larboard 80 is reachable from the net (UFW and unreality firewalls).
3. Confirm DNS still points to this server.
4. Run sudo certbot renew --dry-run again aft fixes.

Let’s Encrypt emails the reside you registered earlier certificates expire. Do not trust connected email unsocial for accumulation monitoring.

Troubleshooting communal issues

Domain validation failures

• DNS not propagated: Use excavation +short your_domain A and comparison to your server IP.
• Wrong virtual host: ServerName must lucifer the domain you request.
• Port 80 blocked: HTTP-01 needs inbound TCP 80. On DigitalOcean, check cloud firewalls plus UFW.

Apache errors aft Certbot

Run sudo apachectl configtest. Certbot edits files under /etc/apache2/sites-available/. Restore from backup aliases re-run sudo certbot --apache aft fixing ServerName typos.

Certificate complaint limit errors

Let’s Encrypt enforces rate limits. The certificates per registered domain limit is 50 per week (see official docs for existent numbers). If you deed a limit, hold for the model to reset or use a staging endpoint while testing:

1. sudo certbot --apache --staging

Staging certificates are not trusted by browsers. Use them only for tests.

Firewall blocking renewal

Renewal still uses HTTP-01 connected larboard 80 successful the default setup. Keep Apache Full or definitive 80/tcp and 443/tcp rules successful place.

Let’s Encrypt vs paid certificate authorities

When Let’s Encrypt fits: you power the server, you automate renewal, and you request modular DV HTTPS.

When a paid CA fits: your statement requires OV/EV seals, specific compliance paperwork, aliases a vendor support contract.

The CA/Browser Forum has discussed shorter maximum certificate lifetimes successful the industry. Automated renewal pinch Certbot is the applicable consequence connected Ubuntu regardless of early life changes. Watch Let’s Encrypt blog for argumentation updates.

FAQs

Here are immoderate commonly asked questions astir utilizing Let’s Encrypt connected Ubuntu pinch Apache.

1. How do you usage Let’s Encrypt connected Ubuntu pinch Apache?

Install Certbot from snap, configure Apache ServerName, unfastened ports 80 and 443, then tally sudo certbot --apache. Certbot requests the certificate and updates Apache. Renewal runs connected a systemd timer.

2. How do you alteration SSL successful Apache2 connected Ubuntu?

Enable mod_ssl pinch sudo a2enmod ssl, get certificates (Certbot is the usual path), and service HTTPS connected larboard 443 successful a virtual host. Certbot creates your_domain-le-ssl.conf erstwhile you usage the Apache plugin.

3. How do you alteration TLS 1.2 successful Apache2?

Set SSLProtocol each -SSLv3 -TLSv1 -TLSv1.1 successful /etc/apache2/mods-available/ssl.conf. That leaves TLS 1.2 and 1.3 connected existent Ubuntu builds. Run sudo apachectl configtest before sudo systemctl reload apache2.

4. Is Let’s Encrypt really free?

Yes. Let’s Encrypt does not complaint for certificates. ISRG runs the work arsenic a nonprofit. See the Let’s Encrypt FAQ. Rate limits still apply.

5. How agelong does a Let’s Encrypt certificate last?

90 days by default. Certbot’s timer attempts renewal erstwhile a certificate is within 30 days of expiration. Run sudo certbot renew --dry-run to confirm your server renews correctly.

Conclusion

You installed Certbot from snap, obtained a Let’s Encrypt certificate pinch the Apache plugin, opened HTTPS successful UFW, hardened TLS settings, and confirmed automatic renewal connected Ubuntu. Your tract now serves trusted HTTPS for your_domain.

For Nginx alternatively of Apache, follow How To Secure Nginx pinch Let’s Encrypt connected Ubuntu 22.04. For section testing without a nationalist CA, see How To Create a Self-Signed SSL Certificate for Apache successful Ubuntu 18.04.

Official references: Certbot documentation and Let’s Encrypt documentation.

What’s next

• Create an Ubuntu 26.04 LTS Droplet and reuse this guideline connected a caller VM.
• Deploy a afloat stack pinch the LAMP tutorial connected Ubuntu 22.04 (Apache and apt steps lucifer 24.04 and 26.04).
• Point DNS astatine your Droplet and automate TLS on App Platform if you prefer managed HTTPS without moving Certbot yourself.
• Read Getting Started pinch Let’s Encrypt for ACME concepts beyond Apache.

Run Apache connected a DigitalOcean Droplet with snapshots and monitoring truthful you tin rotation backmost if a config alteration breaks HTTPS.