Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint


Let’s Encrypt adalah otoritas sertifikat yang dibuat oleh Internet Security Research Group (ISRG). Ini menyediakan sertifikat SSL gratis melalui proses otomatis yang dirancang untuk menghilangkan pembuatan sertifikat manual, validasi, instalasi, dan pembaruan.

Sertifikat yang dikeluarkan oleh Let’s Encrypt berlaku selama 90 hari sejak tanggal penerbitan dan dipercaya oleh semua browser utama saat ini.


Install Certbot

sudo apt update
sudo apt install certbot

Generate SSL

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Konfigurasi Let’s Encrypt SSL certificate

  • Buat direktori baru
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
  • Buat file config
nano /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
nano /etc/apache2/conf-available/ssl-params.conf
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Header always set Strict-Transport-Security "max-age=63072000"
  • Enable module
sudo a2enmod ssl
sudo a2enmod headers
  • Enable SSL config
sudo a2enconf letsencrypt
sudo a2enconf ssl-params
sudo a2enmod http2
  • Restart apache service
sudo systemctl reload apache2
  • jalankan cerboot untuk membuat SSL pada domain
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com


 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-10-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • Edit Virtualhost
nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80> 
  ServerName example.com

  Redirect permanent / https://example.com/

<VirtualHost *:443>
  ServerName example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # Other Apache Configuration

  • Reload service
sudo systemctl reload apache2

Test SSL

Kamu bisa cek ssl domain mu dari web tools https://www.ssllabs.com/ssltest/

Auto-renewing Let’s Encrypt SSL certificate

  • buat file
nano /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"
  • test renewal
sudo certbot renew --dry-run


