How to Install Let’s Encrypt (Certbot) on Ubuntu 20.04

Certbot is a command line tool for managing Let’s Encrypt SSL certificates on Linux operating system. It may allow you to request install free SSL certificate on your website domain. It also performs the authorization and configure your web server to make it SSL ready. It also helps you to renew certificates issued by the Let’s Encrypt certificate authority.

This tutorial help you to install Let’s Encrypt client on Ubuntu 20.04 LTS Linux operating system.

Prerequisites

You must fulfil the followings requirements:

  • A running Ubuntu 20.04 system with sudo access.
  • Apache/Nginx web server with virtual host configured with real domain or subdomain.
  • Domain or sub-domain must be pointed correctly to web server IP address.

Step 1 – Installing Certbot

Certbot is a tool to obtain certificates from Let’s Encrypt and install it on your web server. Snap package is the easiest way for installing certbot on Ubuntu system.

Open a terminal and execute below command to install certbot:

sudo apt install certbot python3-certbot-apache

or

sudo snap install --classic certbot

 

Step 2— Allowing HTTPS Through the Firewall

If you have the UFW firewall enabled, you’ll need to adjust the settings to allow HTTPS traffic. Upon installation, Apache registers a few different UFW application profiles. We can leverage the Apache Full profile to allow both HTTP and HTTPS traffic on your server.

To verify what kind of traffic is currently allowed on your server, you can use:

sudo ufw status

If you have followed one of our Apache installation guides, your output should look something like this, meaning that only HTTP traffic on port 80 is currently allowed:

Output

sudo ufw status
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                          
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             

If you do not see 443/tcp line as shown above, please add it as the following to let in HTTPS traffic:

  • sudo ufw allow '443/tcp

Rerun

  • sudo ufw status

Your status will now look like the above.

You are now ready to run Certbot and obtain your certificates.

Step 3 – Generate SSL Certificate

Now, You can request SSL certificates from Let’s encrypt based on the web server.

  1. Apache – On the systems running Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request certificate.
    sudo certbot --apache
  2. Nginx – For the systems running Nginx web server, use below command to request for the SSL certificates.
    sudo certbot --nginx
  3. Other Web Server – For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.This command will ask you for domain name and document root for the domain.
    sudo certbot certonly --webroot
  4. No Web Server – The systems have no web server running, can also request a ssl certificate. Below command will ask your for the domain name and start a temporary web server on port 80 to complete the verification.
    sudo certbot certonly --standalone

In all of the above cases, the domain must be pointed to your server from dns. Also insure that /.well-known/acme-challenge are served by the webserver.

Step 4 – Test SSL

Once the SSL certificate is installed on the web server, visit https://your-domain.com/ in a web browser and look for the SSL lock icon in the URL bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/.

Step 3 – Renew SSL Certificate

Let’s encrypt certificates are issues for 3 months only. You can renew certificate before 30 days of expiry. Certbot allows you a hassle free renewal just by running a single command.

Run the below command to renew all the certificates on that system.

sudo certbot renew

You can also run a dry run without actual renewal. This will help you to test if SSL renewal perform well.

sudo certbot renew --dry-run

Conclusion

In this tutorial, you have learned to install certbot on Ubuntu operating system. It also helped you to create new certificates for your web servers.

Leave a Reply