How to setup Let’s Encrypt certificates on Ubuntu with Certbot

Let's Encrypt! logo

Let’s Encrypt® has literally changed the way we obtain, install and use SSL certificates. With its automated procedures, as you’ll see in just a few seconds, everyone can get free SSL certificates from Let’s Encrypt and install them in a matter of minutes, automatically.

Installing an SSL certificate can be daunting, but it’s really not that difficult to install a Let’s Encrypt certificate using Certbot. Without further ado, let’s begin:

Before starting

Important
I take absolutely NO responsibility of what you do with your machine; use this tutorial as a guide and remember you can possibly cause data loss if you touch things carelessly.

I will assume you:

  • know what Let’s Encrypt is.
  • have basic command line skills.
  • know what SSL is.
  • have shell access (direct or SSH) to your web server.
  • already have your web server up and running.
  • already have configured your firewall to open ports 80 and 443.
  • own the domain name(s) you will configure (if not don’t try to obtain a certificate…)
Warning!
Let’s Encrypt has rate limits in place to prevent inappropriate usage of the CA. There’s a limit on the numbers of attempts you can do before getting a temporary ban. During this setup, if things go wrong, I suggest you to use the –staging option to avoid the temporary ban. The –staging option will use a testing server and will not issue valid certificates. When you have completed the procedure against the test server successfully, you can remove the –staging option to obtain the real certificate.

Install Certbot

Before you can actually get a Let’s Encrypt certificate you need to install Certbot. Certbot is the official Let’s Encrypt client and also the easiest way to get a certificate. Open up a terminal and type the commands appropriate for your Ubuntu installation:

Ubuntu 16.04Ubuntu >= 14.04Other/Older Ubuntu

Now, in all the cases except “Other/Older Ubuntu” you need to install the plugin associated with your webserver, Certbot currently supports multiple plugins:

ApacheNginxOther webserver

Install the following package:

Install the following package:

Since Certbot currently has official plugins only for Apache and Nginx you have everything you need, but you will need to follow the manual procedure.

Set up Let’s Encrypt certificate on Apache

If your site is running the Apache web server, you can use the Certbot Apache plugin we installed earlier to automatically obtain and install your certificate:

The interactive procedure will guide you through all the information needed to sign the certificate. Optionally, if you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

Here’s the output for a successful certificate issued:

Set up Let’s Encrypt certificate on Nginx

Tip!
If you have multiple, different domains which means at least two server blocks, you might find out that using the Certbot nginx pluign isn’t the best choice. Instead you can use the webroot plugin described later in the guide.

If your site is running the Nginx web server, you can use the Certbot Nginx plugin we installed earlier to automatically obtain and install your certificate:

The interactive procedure will guide you through all the information needed to sign the certificate.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

Here’s the output for a successful certificate issued:

Set up Let’s Encrypt certificate using the Certbot webroot plugin

If you can’t or don’t want to use a specific plugin for your web server, you can still obtain a certificate using the webroot plugin. This plugin simply places the secrets needed to complete the authentication challenge in the selected directory. Although this method works with virtually every web server out there, the downside is that you will have to install the certificate manually.

To obtain a certificate through the webroot plugin do:

This example (taken from the official Certbot site) will request a certificate for example.com and www.example.com using the /var/www/example directory. If the procedure is successful you will get the certificate, but you will need to install it in your web server manually.

Automating renewal with cron

Whatever the procedure you followed, you now have your certificate. Since Let’s Encrypt! certificates are short-lived (90 days) you should renew them before they expire. You can do this manually (every 90 days) or you can automate the process using cron and the Certbot client.

Before actually setting up the auto renewal process, you may want to test the renewal with the following command:

If the certificate is installed correctly and everything is in order, nearing the end you will get a message similar to this and you may proceed:

How to set up Certbot cron

  • If you installed the Certbot package using apt – Good news! you don’t have to set up Certbot cron because it is already set up for you!
  • If you installed Certbot manually (for older/other versions of Ubuntu) – you will have to set up Certbot cron manually, fear not! It is an easy set-and-forget procedure!

To automatically set up cron to renew the certificate you can simply do:

This cron will run twice daily, but won’t renew the certificates unless they’re about to expire.

Image courtesy of mark | marksei

The following two tabs change content below.
The IT guy with a little boredom look in his eyes, fond of computers since forever he now works as a freelancer in the IT and shares his experiences through this blog.

You may also like...