Setup SSL (HTTPS) with Apache

How to setup HTTPS with Let's Encrypt.

Setup SSL (HTTPS) with Apache

Generate Certificate

Local Authorised

The certificate can be generated locally via the command below. While technically it is a way to implement SSL, the authority(local) is not trusted by any Browser, such that you will get a warning. Practically, I will suggest acquiring it from a CA.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/certs/cert.key -out 


From CA (Certificate Authority)

Free certificate can be requested from Letsencrypt.
By following the instructions using Certbot. The Certificate can be generated easily.
Below is the instruction for apache in Ubuntu16.04

apt update
apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install python-certbot-apache 
certbot --apache
certbot --apache certonly //generate the certificate

The resulting files are located in /etc/letsencrypt/live/$domain (Documentation)


Testing renewal

certbot renew --dry-run


certbot renew

Configure Apache

<VirtualHost *:80>

    #Force http to https, previously used
    #Redirect permanent /
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>


   #SSLEngine on
   #SSLCertificateFile /etc/letsencrypt/live/ 
   #SSLCertificateKeyFile /etc/letsencrypt/live/

   #RequestHeader set X-Forwarded-Proto "https"

   SSLCertificateFile /etc/letsencrypt/live/
   SSLCertificateKeyFile /etc/letsencrypt/live/
   Include /etc/letsencrypt/options-ssl-apache.conf

Apache Modules

sudo a2enmod ssl headers
sudo service apache2 restart

DNS Challenge

It can be used when automatic challenge failed.
The manual method verify Domain Ownership through DNS modification: add a TXT record.
You are required to have access to the DNS

certbot -d --manual --preferred-challenges dns certonly

Update Registered Email

certbot register --update-registration --email <EMAIL>

Delete Certificate

certbot delete


make sure port 443 is open to public


pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3