Skip to content
Posts
Issuing and installing an SSL certificate with Let's Encrypt (Certbot)

Issuing and installing an SSL certificate with Let's Encrypt (Certbot)

September 5, 2020

Note

This post may be partially machine- or AI-translated. If there is any discrepancy, the Korean version takes precedence.

Note

This post might be outdated and some links might not be available.

This post explains how to issue a Let’s Encrypt SSL certificate with Certbot and configure automatic renewal.

This guide assumes Apache or Nginx is installed on Ubuntu 20.04.
Open port 443 (HTTPS) on the server before starting.

Install snapd

snapd is installed by default on Ubuntu 16.04.4, 18.04, and 20.04, so this step can be skipped.
For snapd installation instructions on other distributions, see Installing snapd.

Remove any Certbot OS packages

Remove any existing Certbot package installed through the OS package manager.

$ sudo apt remove certbot

If no package is installed, move to the next step.

Install Certbot

Install Certbot.

$ sudo snap install --classic certbot
Download snap "core20" (634) from channel "stable"            12%  190kB/s 4m56s
Download snap "certbot" (500) from channel "stable"            5%  187kB/s 4m14s
certbot 1.7.0 from Certbot Project (certbot-eff✓) installed

Issue and install the SSL certificate

Issue the SSL certificate and update the web server configuration to enable HTTPS.

// Apache
$ sudo certbot --apache

// Nginx
$ sudo certbot --nginx
$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email address]
  • Agree to the Terms of Service.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
  • Choose whether to receive news from EFF by email.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
  • This message appears because no domain name is configured in the Apache configuration files.
    Enter the domain names for the SSL certificate, separated by commas or spaces.
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): [domain name]
  • Certbot proceeds with the SSL setup process: certificate issuance, validation, and web server configuration.
    Future clients will be redirected from HTTP to HTTPS.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for [domain name]
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://[domain name]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: [email]).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/[domain name]/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/[domain name]/privkey.pem
   Your cert will expire on 2020-12-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

SSL setup is complete, and Certbot shows the certificate expiration date (2020-12-03).
Certbot automatically renews certificates every 60 days, so you do not need to run it again manually.

Test automatic renewal

Use the following command to test certificate renewal with a dry run.

$ sudo certbot renew --dry-run
.....
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/[domain name]/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
.....
  • The certificate renewal command is installed in one of the following locations.
/etc/crontab/
/etc/cron.*/*
$ systemctl list-timers
  • The scheduled time for the certificate renewal service is displayed.
$ sudo systemctl list-timers
NEXT                        LEFT          LAST                        PASSED       UNIT                         ACTIVATES
.....
Fri 2020-09-04 22:58:00 KST 2h 2min left  n/a                         n/a          snap.certbot.renew.timer     snap.certbot.renew.service
.....
Last updated on
Hosting a static website with CloudFront and Amazon S3Creating a Linux RAM disk (tmpfs)