In this post we will see, how we can get an SSL certificate for our Apache or Nginx server with Certbot from Let’s Encrypt.

Prerequisites

  • An Ubuntu or Debian server (tested on Ubuntu 18.04 and Debian 10) that you have SSH access and root or sudo privileges.

    You can follow the SSH Server & UFW Configure guide to set up SSH best practices and configure a basic firewall.

  • A fully registered domain name for the server: example.org or www.example.org

  • Both of the following DNS records set up for your server: - An A record with example.org pointing to your server’s public IP address. - An A record with www.example.org pointing to your server’s public IP address. - And optionally, the same setting for the AAAA records for IPv6.

    You can follow the Duck DNS guide to get a free *.duckdns.org domain and see how to configure the DNS records.

  • Apache or Nginx installed and configured to have a Virtual Host File (for Apache) or Server Block (for Nginx) for your domain. - For Apache, we will use /etc/apache2/sites-available/your_domain.conf as an example. - For Nginx, we will use /etc/nginx/sites-available/example.org as an example.

    You can follow the LAMP Install and Wordpress Install guides to see how to install Apache and create a Virtual Host File.

    You can follow the Nginx Install guide to see how to install Nginx and create a Server Block.

Installing Certbot

The Certbot packages for Debian and Ubuntu are a little bit outdated, so we can add the Certbot ppa to get the latest version.

Keep in mind that we don’t have to get the latest version, the one in the default packages will work just fine.

Add the certbot repository:

sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept.

For Apache

Install Certbot Apache package:

sudo apt install python3-certbot-apache

For Nginx

Install Certbot Nginx package:

sudo apt install python3-certbot-nginx

Confirming Apache’s and Nginx’s Configuration

For Apache

Certbot works by finding the correct VirtualHost field in the Apache configuration file in order to be able to generate an SSL certificate. It does this by looking for the ServerName directive that matches the domain you request a certificate for.

If you only have an ServerName directive in a Apache configuration file at /etc/apache2/sites-available it will automatically generate a certificate for this domain. If you have more ServerName directives, you will have to specify the domain to certbot.

If you have configured Apache correctly you should have a /etc/apache2/sites-available/example.org configuration file with the ServerName directive set appropriately, as in the Wordpress Install guide.

To check you should open the configuration file:

cat /etc/apache2/sites-available/example.org

and see the following line:

#...
ServerName example.org
ServerAlias www.example.org
#...

if not update the config file by editing these lines and adding your domain and alias.

Make sure we don’t have syntax errors:

sudo apache2ctl configtest

If the output has a AH00558 message ignore it. We only care about the SYNTAX OK message.

And restart Apache:

sudo systemctl restart apache2

For Nginx

Certbot works by finding the correct server block in the Nginx configuration file in order to be able to generate an SSL certificate. It does this by looking for the server_main directive that matches the domain you request a certificate for.

If you only have an server_main directive in a Nginx configuration file at /etc/nginx/sites-available it will automatically generate a certificate for this domain. If you have more server_main directives, you will have to specify the domain to certbot.

If you have configured Nginx correctly you should have a /etc/nginx/sites-available/example.org configuration file with the server_main directive set appropriately, as in the Nginx Install guide.

To check you should open the configuration file:

cat /etc/nginx/sites-available/example.org

and see the following line:

#...
server_name example.org www.example.org;
#...

if not update the config file by editing this line and adding your domain.

Make sure we don’t have syntax errors:

sudo nginx -t

And reload Nginx:

sudo systemctl reload nginx

Allowing HTTPS Through the Firewall

See current settings:

sudo ufw status

To additionally let in HTTPS traffic depending on the profile we have allowed for HTTP traffic:

sudo ufw allow 'Nginx Full'
#or
sudo ufw allow 'WWW Full'

Because now we don’t accept HTTP traffic, we can close the port 80 from our firewall. Depending on your status we can delete every profile that has port 80 open, like Nginx HTTP or WWW:

sudo ufw delete allow 'Nginx HTTP'
#or
sudo ufw delete allow 'WWW'

Check again for the changes:

sudo ufw status

Obtaining an SSL Certificate

With the Apache and Nginx plugins that Certbot comes with, we can obtain an SSL certificate very easily with just one command.

For Apache

sudo certbot --apache

For Nginx

sudo certbot --nginx

Certbot Options

During the Certbot execution you will have to:

  1. Enter your email address in order to get notified for the certificate renewal and security notices.
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): youremail@address

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1. Agree to the Terms of Service.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
  1. Choose if you would like to share your email address with the Electronic Frontier Foundation.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: no
  1. Select which names you would like to activate HTTPS for. You should press enter to select all shown names:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.org
2: www.example.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
  1. Choose to redirect all HTTP traffic to HTTPS and remove HTTP access for best security:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
  1. Now you have successfully enabled the certificates and you can try reloading your website with https:// and notice your browser’s security indicator.
Congratulations! You have successfully enabled https://example.org and
https://www.example.org

Verifying Certbot Auto-Renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. We will not need to run Certbot again, unless we change something in the configuration files.

To check the status of this systemd service and make sure it’s active and running, you can use:

sudo systemctl status certbot.timer

We can also check the cron script that is located at /etc/cron.d:

cat /etc/cron.d/certbot

To test the renewal process for the certificates, you can do a dry run with certbot:

sudo certbot renew --dry-run

If that command completes without errors, your certificates will renew automatically in the background.