Apache Let's Encrypt Ubuntu Server

Installing Apache with Let’s Encrypt on Ubuntu Server 18.04

Before doing any work on your Ubuntu Server, it is good practice to update your software repositories using:

apt update

It’s also worth creating a document root for your new web sites – I generally create a dedicated folder in the root, with web sites and logs folders within:

mkdir /sites
mkdir /sites/logs
mkdir /sites/

To make life easier, make your web site folder reflect your domain name.

Installing Apache

To install Apache we simply use the apt command:

apt install apache2

Once installed you’ll need to do some configuration.

First of all let’s go to our apache hosts folder & create a .conf file specific to your new web site.

To keep things simple use the same naming convention you have used for the document root – ensure your config file is named with .conf at the end:

cd /etc/apache2/sites-available


Add the following to your file, you may find it easier to edit this beforehand:

<VirtualHost *:80>


    DocumentRoot    /sites/

    ErrorLog        /sites/logs/
    CustomLog       /sites/logs/ combined

    <Directory /sites/>
        Require all granted
        AllowOverride All


The only changes you really need to make at this stage is references to to reflect your web sites name.

Installing Let’s Encrypt

Because the version of Certbot in the Ubuntu repositories can be a little out of date, install directly from the PPA:

add-apt-repository ppa:certbot/certbot

apt install python-certbot-apache

Once installed you can run certbot to get a new certificate – on your first run you will need to enter your email address and opt in/out of some options.


Once you’ve run certbot and got your certificates you can simply check your web site and carry on with your day.

I prefer to tidy up my host files.

Firstly your HTTP config:


<VirtualHost *:80>


    DocumentRoot    /sites/

    RewriteEngine on
    RewriteRule ^{REQUEST_URI} [END,NE,R=permanent]


Secondly your HTTPS config:


<IfModule mod_ssl.c>
    <VirtualHost *:443>


        DocumentRoot            /sites/

        ErrorLog                /sites/logs/
        CustomLog               /sites/logs/ combined

        <Directory /sites/>
            Require all granted
            AllowOverride All

        SSLCertificateFile      /etc/letsencrypt/live/
        SSLCertificateKeyFile   /etc/letsencrypt/live/
        Include                 /etc/letsencrypt/options-ssl-apache.conf


Lastly, just to be sure all is still working, restart Apache:

systemctl reload apache2

Cert renewal

It’s a good idea to test your configuration using the following:

certbot renew --dry-run

When certbot is installed it adds a service to the cron.d so any certificates approaching its end-of-life will get renewed. Let’s Encrypt certificates are valid for 90 days, but the client will automatically renew after 60.

Ubuntu Server

Set up unattended-upgrades on Ubuntu Server 20.04

Setting up your Ubuntu Server to auto upgrade itself is pretty easy and will save you some piece of mind once set up.

As always when you are making changes to your server, make sure to update your software repositories using:

apt update

Once this has completed you can either upgrade any out of date packages or continue with setting up auto-update.

To get started, install the package:

apt install unattended-upgrades

Once complete you will need to configure your system – we’re using VI here but feel free to use your text editor of choice:

vi /etc/apt/apt.conf.d/50unattended-upgrades

By standard unattended-upgrades only installs security updates – I generally leave this so a daily update does affect my system setup.

Find these lines in the file below – in my version they were commented out, uncomment them and set your own preferences:

Unattended-Upgrade::Mail "my@email.address";
Unattended-Upgrade::MailReport "only-on-error";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

To activate the unattended-upgrades you’ll need to edit a separate file – this one was empty by default for me:

vi /etc/apt/apt.conf.d/20auto-upgrades

Add your own preferences, or simply use the ones I used below – the values equate to days:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

You can test your unattended-upgrades by running the following:

unattended-upgrades --dry-run --debug