Let's Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload Apache. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/:
#!/bin/sh
systemctl reload apache2.service
Make it executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/apache2.sh
Create a global configuration file:
SSLProtocol TLSv1.3
Enable it:
sudo a2enconf ssl-ciphers
Create a global configuration file:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "DENY"
Enable it:
sudo a2enmod headers sudo a2enconf headers
sudo systemctl restart apache2.service