{"id":192,"date":"2023-05-26T12:26:17","date_gmt":"2023-05-26T12:26:17","guid":{"rendered":"https:\/\/koner.mywire.org\/?page_id=192"},"modified":"2024-02-11T18:19:18","modified_gmt":"2024-02-11T18:19:18","slug":"how-to-secure-apache-with-lets-encrypt","status":"publish","type":"page","link":"https:\/\/koner.mywire.org\/index.php\/how-to-secure-apache-with-lets-encrypt\/","title":{"rendered":"How To Secure Apache with Let’s Encrypt"},"content":{"rendered":"\n

Let\u2019s Encrypt is a Certificate Authority (CA) that facilitates obtaining and installing free TLS\/SSL certificates<\/a>, thereby enabling encrypted HTTPS on web servers. It streamlines the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.<\/p>\n\n\n\n

In this guide, you\u2019ll use Certbot<\/a> to obtain a free SSL certificate for Apache on Raspberry Pi and make sure this certificate is set up to renew automatically.<\/p>\n\n\n\n

This tutorial uses a separate virtual host file instead of Apache\u2019s default configuration file for setting up the website that will be secured by Let\u2019s Encrypt. We recommend creating new Apache virtual host files for each domain hosted in a server because it helps to avoid common mistakes and maintains the default configuration files as a fallback setup.<\/p>\n\n\n\n

Step 1 \u2014 Installing Certbot<\/a><\/h4>\n\n\n\n

To obtain an SSL certificate with Let\u2019s Encrypt, you need to install the Certbot software on your server. You\u2019ll use the default Ubuntu package repositories for that.<\/p>\n\n\n\n

First, update the local package index:<\/p>\n\n\n\n

sudo apt update<\/strong><\/code><\/pre>\n\n\n\n
You need two packages: certbot<\/code>, and python3-certbot-apache<\/code>. The latter is a plugin that integrates Certbot with Apache, making it possible to automate obtaining a certificate and configuring HTTPS within your web server with a single command:<\/p>\n\n\n\n
sudo apt install certbot python3-certbot-apache<\/strong><\/code><\/pre>\n\n\n\n
You will be prompted to confirm the installation by pressing Y<\/code>, then ENTER<\/code>.<\/p>\n\n\n\n
Certbot is now installed on your server. In the next step, you\u2019ll verify Apache\u2019s configuration to make sure your virtual host is set appropriately. This will ensure that the certbot<\/code> client script will be able to detect your domains and reconfigure your web server to use your newly generated SSL certificate automatically.<\/p>\n\n\n\n
Step 2 \u2014 Checking your Apache Virtual Host Configuration<\/a><\/h4>\n\n\n\n
To automatically obtain and configure SSL for your web server, Certbot needs to find the correct virtual host within your Apache configuration files. Your server domain name(s) will be retrieved from the ServerName<\/code> and ServerAlias<\/code> directives defined within your VirtualHost<\/code> configuration block.<\/p>\n\n\n\n
If you followed the virtual host setup step in How to Setup a Raspberry Pi Apache Web Server<\/a>, you should have a VirtualHost block set up for your domain at \/etc\/apache2\/sites-available\/your_domain<\/mark>.conf<\/code> with the ServerName<\/code> and also the ServerAlias<\/code> directives already set appropriately.<\/p>\n\n\n\n
To confirm this is set up, open the virtual host file for your domain using nano<\/code> or your preferred text editor:<\/p>\n\n\n\n
sudo nano \/etc\/apache2\/sites-available\/your_domain<\/mark>.conf<\/strong><\/code><\/pre>\n\n\n\n
Find the existing ServerName<\/code> and ServerAlias<\/code> lines. They should be listed as follows:<\/p>\n\n\n\n
\/etc\/apache2\/sites-available\/your_domain.conf<\/p>\n\n\n\n
...\nServerName your_domain<\/mark>\nServerAlias www.your_domain<\/mark>\n...\n<\/code><\/pre>\n\n\n\n
If you already have your ServerName<\/code> and ServerAlias<\/code> set up like this, you can exit your text editor and move on to the next step. If your current virtual host configuration doesn\u2019t match the example, update it accordingly. If you\u2019re using nano<\/code>, you can exit by pressing CTRL+X<\/code>, then Y<\/code> and ENTER<\/code> to confirm your changes, if any. Then, run the following command to validate your changes:<\/p>\n\n\n\n
sudo apache2ctl configtest<\/strong><\/code><\/pre>\n\n\n\n
You should receive Syntax OK<\/code> as a response. If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file\u2019s syntax is correct, reload Apache so that the changes take effect:<\/p>\n\n\n\n
sudo systemctl reload apache2<\/strong><\/code><\/pre>\n\n\n\n
With these changes, Certbot will be able to find the correct VirtualHost block and update it.<\/p>\n\n\n\n
Next, you\u2019ll update the firewall to allow HTTPS traffic.<\/p>\n\n\n\n
Step 3 \u2014 Allowing HTTPS Through the Firewall<\/h4>\n\n\n\n
To allow the Apache Full<\/strong> profile through the firewall on a Raspberry Pi web server using ufw<\/strong><\/code>, you can follow these steps:<\/p>\n\n\n\n
    \n
  1. Enable ufw<\/code>: If ufw<\/code> is not already enabled, enable it by running the following command:<\/li>\n<\/ol>\n\n\n\n
       sudo ufw enable<\/strong><\/code><\/pre>\n\n\n\n
      \n
    1. Allow Apache Full profile: ufw<\/code> comes with predefined application profiles, and the “Apache Full”<\/strong> profile allows both HTTP (port 80) and HTTPS (port 443) traffic. Run the following command to allow the Apache Full profile:<\/li>\n<\/ol>\n\n\n\n
         sudo ufw allow 'Apache Full'<\/strong><\/code><\/pre>\n\n\n\n
      This command enables incoming traffic on ports 80 and 443 for both HTTP and HTTPS.<\/p>\n\n\n\n
        \n
      1. Verify the rules: You can check the status of ufw<\/code> and verify that the Apache Full profile rule is correctly configured by running the following command:<\/li>\n<\/ol>\n\n\n\n
           sudo ufw status<\/strong><\/code><\/pre>\n\n\n\n
        Ensure that the rules allowing ports 80 and 443 are listed in the output, associated with the “Apache Full” profile.<\/p>\n\n\n\n
          \n
        1. Test the HTTP and HTTPS connections: Verify that both HTTP and HTTPS traffic is allowed by accessing your website over both protocols (e.g., http:\/\/yourdomain.com and https:\/\/yourdomain.com) from a client machine. If the connections are successful, it means the firewall is allowing the Apache Full profile.<\/li>\n<\/ol>\n\n\n\n
          Please note that by allowing the Apache Full profile, you’re opening up ports 80 and 443 to incoming traffic, which includes both HTTP and HTTPS. It’s important to ensure that your Apache server is properly configured to handle HTTPS traffic with valid SSL certificates. Additionally, consider implementing other security measures like rate limiting, filtering by source IP, or enabling a Web Application Firewall (WAF) to enhance security for your web server.<\/a><\/p>\n\n\n\n
          Step 4 \u2014 Obtaining an SSL Certificate<\/h4>\n\n\n\n
          To obtain an SSL certificate for your Raspberry Pi web server, you can use Certbot, a popular tool that automates the process of obtaining and installing SSL certificates from Let’s Encrypt. Here’s how you can do it:<\/p>\n\n\n\n
            \n
          1. Install Certbot: Begin by installing Certbot on your Raspberry Pi by running the following commands:\n