Install and Configure Apache with Free SSL on AWS EC2 Ubuntu Instance Using Certbot

June 11, 2025 (Today)

This comprehensive guide walks you through installing Apache web server on Ubuntu/Debian and securing it with a free SSL/TLS certificate from Let's Encrypt using Certbot.

Prerequisites

Before starting, ensure you have:

  • A Ubuntu/Debian server with sudo privileges
  • A registered domain name pointing to your server's IP address
  • Port 80 and 443 open in your firewall

Step 1: Update Your System

Start by updating your package repository to ensure you have access to the latest software versions:

sudo apt update

Step 2: Install Apache Web Server

Install the Apache HTTP server package:

sudo apt install apache2

Step 3: Verify Apache Installation

Check if Apache is running properly:

sudo systemctl status apache2

If the service shows as "active (running)", Apache is working correctly. If not, proceed to the next step.

Step 4: Start Apache Service (If Needed)

If Apache isn't running, start it manually:

sudo systemctl start apache2

Step 5: Enable Apache Auto-Start

Configure Apache to start automatically when your server boots:

sudo systemctl enable apache2

Step 6: Test Apache Installation

Open your web browser and navigate to your server's public IP address or domain name. You should see the Apache2 Ubuntu Default Page, confirming that Apache is serving web pages correctly.

Step 7: Install Certbot for SSL Certificate

Install Certbot and the Apache plugin to obtain and manage SSL certificates:

sudo apt install certbot python3-certbot-apache

Step 8: Obtain SSL Certificate

Request an SSL certificate for your domain. Replace example.com with your actual domain name:

sudo certbot --apache -d example.com -d www.example.com

Important: Make sure your domain's DNS records are properly configured and pointing to your server before running this command.

Step 9: Complete Certbot Configuration

During the certificate installation, Certbot will prompt you for:

  1. Email address: Required for certificate renewal notifications
  2. Terms of Service: You must agree to Let's Encrypt's terms
  3. HTTP to HTTPS redirect: Choose whether to redirect all HTTP traffic to HTTPS (recommended)

Certbot will automatically configure your Apache virtual host files to use the new SSL certificate.

Step 10: Verify SSL Configuration

Test your SSL installation by visiting your website using HTTPS:

https://example.com

Look for the padlock icon in your browser's address bar, which indicates a secure connection.

Step 11: Confirm Automatic Renewal

Let's Encrypt certificates expire every 90 days. Verify that automatic renewal is configured:

sudo systemctl status certbot.timer

The timer should show as "active (waiting)", ensuring your certificates will renew automatically.

Verification and Testing

Test Certificate Renewal

You can test the renewal process without actually renewing:

sudo certbot renew --dry-run

Check SSL Certificate Details

View your certificate information:

sudo certbot certificates

Troubleshooting

Verify DNS Configuration

If certificate installation fails, verify your DNS records are correct:

nslookup www.example.com

Or use dig for more detailed information:

dig example.com A
dig www.example.com A

Common Issues

  • DNS not propagated: Wait 24-48 hours after changing DNS records
  • Firewall blocking: Ensure ports 80 and 443 are open
  • Domain validation failed: Check that your domain points to the correct IP address

Security Best Practices

  1. Regular Updates: Keep Apache and your system updated
  2. Strong SSL Configuration: Consider using tools like SSL Labs to test your SSL configuration
  3. Security Headers: Add security headers to your Apache configuration
  4. Regular Certificate Monitoring: Monitor certificate expiration dates

Conclusion

Your Apache web server is now successfully configured with SSL/TLS encryption. Your website is accessible securely over HTTPS, and certificate renewal is automated. Visitors to your site will see the secure padlock indicator, building trust and ensuring data protection.

Remember to keep your system updated and monitor your SSL certificate status regularly for optimal security.