How to Install Let’s Encrypt with Apache on Ubuntu 22.04
Securing a website with HTTPS is no longer optional. Modern browsers warn users when websites are served over unencrypted HTTP, and search engines prioritize secure websites in their rankings. Implementing HTTPS not only protects sensitive data exchanged between users and your server but also improves credibility, compliance, and overall security.
Let’s Encrypt is a free, automated Certificate Authority (CA) that issues SSL/TLS certificates at no cost. Combined with Certbot, the official ACME client, obtaining and maintaining trusted certificates on Apache servers becomes a straightforward process.
This guide demonstrates how to install Let’s Encrypt certificates on Ubuntu 22.04 with Apache HTTP Server, configure HTTPS, and enable automatic certificate renewal.
π Prerequisites #
Before proceeding, ensure your environment meets the following requirements:
- Ubuntu 22.04 server
- Apache HTTP Server installed or ready to install
- A registered domain name pointing to your server
- SSH access with either:
- Root privileges, or
- A user account with
sudopermissions
- Ports 80 (HTTP) and 443 (HTTPS) accessible through your firewall
Note: Let’s Encrypt validates domain ownership over the public Internet. Ensure your domain’s DNS records correctly resolve to your server before requesting a certificate.
π Step 1: Update the System #
Always begin by updating the package index and upgrading installed packages.
sudo apt update
sudo apt upgrade -y
Keeping the system current helps ensure compatibility with the latest security patches and Certbot packages.
π Step 2: Install Apache #
If Apache is not already installed, install it using the default Ubuntu package repository.
sudo apt install apache2 -y
After installation, verify that the service is running.
sudo systemctl status apache2
A healthy installation should report output similar to:
β apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service)
Active: active (running)
If Apache is not running, start and enable it.
sudo systemctl enable --now apache2
π Step 3: Enable the Apache SSL Module #
Apache requires the SSL module to serve HTTPS traffic.
First, verify whether the module is already enabled.
apachectl -M | grep ssl
If no output is returned, enable the module.
sudo a2enmod ssl
Restart Apache to apply the changes.
sudo systemctl restart apache2
You can verify that the SSL module is active by running:
apachectl -M | grep ssl
Expected output:
ssl_module (shared)
π¦ Step 4: Install Certbot #
Install Certbot together with the Apache integration plugin.
sudo apt install certbot python3-certbot-apache -y
Once installation completes, verify the installed version.
certbot --version
Example output:
certbot 1.21.0
The exact version may vary depending on the Ubuntu repositories.
π Step 5: Obtain and Install an SSL Certificate #
With Apache and Certbot installed, you can request your first Let’s Encrypt certificate.
Replace example.com with your own domain.
sudo certbot --apache -d example.com
For multiple domains, specify additional -d parameters.
sudo certbot --apache \
-d example.com \
-d www.example.com
During the installation process, Certbot will prompt you to:
- Enter an email address for renewal notifications
- Accept the Let’s Encrypt Terms of Service
- Choose whether to redirect HTTP traffic to HTTPS
Selecting automatic HTTP-to-HTTPS redirection is recommended for most production websites.
Interactive Domain Selection #
If your Apache server hosts multiple virtual hosts, you can simply run:
sudo certbot --apache
Certbot scans your Apache configuration and displays all eligible domains.
Example:
Which names would you like to activate HTTPS for?
1: example.com
2: www.example.com
3: blog.example.com
Select the desired domains, and Certbot will automatically:
- Validate domain ownership
- Download the certificate
- Configure Apache
- Reload the web server
No manual SSL configuration is typically required.
π Step 6: Configure Automatic Renewal #
Let’s Encrypt certificates remain valid for 90 days.
Rather than renewing certificates manually, Certbot installs a systemd timer that periodically checks certificate expiration and renews certificates automatically.
You can verify that renewal is functioning correctly by performing a dry run.
sudo certbot renew --dry-run
A successful test confirms that automatic renewal is correctly configured without modifying existing certificates.
To verify the renewal timer, run:
systemctl list-timers | grep certbot
You should see a scheduled Certbot timer responsible for periodic renewal checks.
β Step 7: Verify HTTPS #
Once installation completes, verify that HTTPS is working correctly.
Open your browser and visit:
https://example.com
A successful configuration should display:
- A secure padlock icon
- A valid SSL certificate
- No browser security warnings
You can also verify the server using the command line.
curl -I https://example.com
Expected response:
HTTP/2 200
server: Apache
To inspect certificate details directly:
echo | openssl s_client -connect example.com:443 \
-servername example.com 2>/dev/null \
| openssl x509 -noout -dates -issuer -subject
This command displays:
- Certificate issuer
- Subject
- Validity period
- Expiration date
π Common Troubleshooting #
Domain Validation Failed #
Verify that your DNS records point to the correct server.
dig example.com
Port 80 Is Blocked #
Let’s Encrypt typically performs HTTP validation over port 80.
Check your firewall configuration.
sudo ufw status
Allow HTTP and HTTPS if necessary.
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Apache Configuration Errors #
Before requesting a certificate, validate the Apache configuration.
sudo apachectl configtest
Expected output:
Syntax OK
Existing Certificate Issues #
List installed certificates.
sudo certbot certificates
Renew certificates manually if needed.
sudo certbot renew
π Security Best Practices #
Installing an SSL certificate is only one part of securing an Apache web server.
Consider implementing additional security measures, including:
- Keep Ubuntu packages updated regularly.
- Enable automatic security updates.
- Disable outdated TLS versions when possible.
- Use strong cipher suites.
- Enable HTTP Strict Transport Security (HSTS).
- Regularly verify certificate expiration.
- Maintain secure backups of server configurations.
Following these practices helps improve the overall security posture of your web infrastructure.
π Conclusion #
Let’s Encrypt and Certbot provide one of the simplest ways to deploy trusted SSL/TLS certificates on Ubuntu servers.
With only a few commands, you can secure Apache with HTTPS, automate certificate renewal, and improve both website security and user confidence.
By combining Apache’s mature web server capabilities with Let’s Encrypt’s automated certificate management, administrators can deploy production-ready HTTPS without purchasing commercial certificates or performing complex manual configuration.
As long as DNS is correctly configured and automatic renewal remains enabled, your Apache server can continue serving encrypted HTTPS traffic with minimal ongoing maintenance.