How to Install Let's Encrypt SSL Certificates on Ubuntu 18.04

Certbot is a user-friendly automatic client that fetches and deploys SSL/TLS certificates for your web server. It is an EFF's tool which is used to obtain certs from Let's Encrypt and auto-enable HTTPS on your server. In short, it acts as an official" Let’s Encrypt client" or “the Let’s Encrypt Python client.”  It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy free SSL certificates that are trusted by the majority of the browsers. Hence, it works for any other CAs which supports ACME protocol.

In this article, I'll explain how to get and install free Let's encrypt SSL certificates using Certbot for the Apache and Nginx on Ubuntu 18.04 servers.

Pre-requisites

  • An Ubuntu Bionic Beaver (18.04) server with root privileges to install the required packages as per the requirements.
  • A fully qualified domain which is registered and has proper DNS records. Here in this article, I'm using the domain fosscloudy.com throughout.

Install Certbot

Initially, to fetch the Letsencrypt SSL certificates, we will need to install the Certbot software. Even though Certbot is made available in the Ubuntu lately, the packages tend to be outdated there. Hence, it's advisable to use the Ubuntu Software repositories with the latest software for installation. You can install Certbot using the following commands below:

#add-apt-repository ppa:certbot/certbot
#apt update
#apt install certbot

You can confirm the installed Certbot version with this command below:

# certbot --version
certbot 0.23.0

Additionally, we can use this command "certbot plugins" to know the available Certbot plugins installed on your server.

# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------

By default, only Standalone and webroot plugin will be included in this package. As per our purpose, we can further enable all required plugins one by one.

Setting up Let's Encrypt SSL certificate on Apache

Certbot provides an Apache plugin for issuing the SSL certificates more easily with this tool. We can install this plugin by running this command below:

#apt install python-certbot-apache

We are now ready to use this tool, but to configure SSL for the domains, we will need to verify some of the Apache configuration files. For issuing the SSL certificate for a domain, Certbot will try to fetch the exact domain virtual host in your server Apache configuration. You can refer my previous article which will assist you in setting up a domain virtual host.  Assuming, the presence of a proper virtual host for our domain we can run this command to install SSL for our domain fosscloudy.com.

# certbot --apache -d fosscloudy.com -d www.fosscloudy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fosscloudy.com
http-01 challenge for www.fosscloudy.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/fosscloudy.com.conf to ssl vhost in /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://fosscloudy.com and
https://www.fosscloudy.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=fosscloudy.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.fosscloudy.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com-0002/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

Above interactive procedure will guide you through all the information needed to sign/install the certificate for your selected domain. Your domain SSL will be downloaded, installed and configured properly in your domain Virtual host automatically with this command execution. Now you can access your domain with HTTPS and confirm its working or verify the SSL status in SSL checker.

Optionally,  if you have multiple virtual hosts/domains configured, you can use the below command to install SSL certificates for them.

#certbot --apache

Certbot will ask you to select the domains included in the new certificate.

Furthermore, if you don't want Certbot to automatically install/configure your domain Virtual host with the new SSL certificate, you can use the following command to just generate the SSL certificate. You can configure it manually later.

#certbot --apache certonly

Setting Up Let's Encrypt SSL certificate on Nginx

For your servers running Nginx web-server, we can use  Certbot Nginx plugin to automatically obtain and install the SSL certificates. You can install this plugin by issuing this command below:

#apt install python-certbot-nginx

We are now ready to use this tool, but to configure SSL for the domains, we will need to verify some of the Nginx configuration files for the same. For issuing the SSL certificate for a domain, Certbot will try to fetch the exact domain virtual host in your server Nginx configuration. Assuming, the presence of a proper virtual host for our domain we can run this command to install SSL for our domain fosscloudy.com.

# certbot --nginx -d fosscloudy.com -d www.fosscloudy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fosscloudy.com
http-01 challenge for www.fosscloudy.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/fosscloudy.com.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/fosscloudy.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/fosscloudy.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/fosscloudy.com.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://fosscloudy.com and
https://www.fosscloudy.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=fosscloudy.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.fosscloudy.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

This self-explanatory interactive procedure will help you to automatically generate/install/configure SSL certificate for your domain. Your domain SSL will be downloaded, installed and configured properly in your domain Virtual host automatically with this command execution. Now you can access your domain with HTTPS and confirm its working or verify the SSL status in SSL checker. You can replace my domain fosscloudy.com with yours and run the same command to generate your SSL certificate.

SSL_nginx

Similar to the Apache plugin,  if you have multiple virtual hosts/domains configured, you can use the below command to install SSL certificates for all of them.

#certbot --nginx

Certbot will ask you to select the domains included in the new certificate.

Additionally, if you don't want Certbot to automatically install/configure your domain Virtual host with the new SSL certificate, you can use the following command to just generate the SSL certificate which you can later configure it manually.

#certbot --nginx certonly

Setting up Let's Encrypt Wildcard Certificates using Certbot

Let's Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.fosscloudy.com and use it on all the other domain sub-domains like docs.fosscloudy.com, blog.fosscloudy.com, mail.fosscloudy.com etc. This makes it very easy to manage certificates for the numerous domain sub-domains efficiently. You can generate this wildcard SSL certificate for fosscloudy.com by running this command below.  You can modify this command with your preferred domain replacing fosscloudy.com.

# certbot certonly --manual -d *.fosscloudy.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for fosscloudy.com

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.fosscloudy.com with the following value:

z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com-0001/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

As mentioned in this interactive procedure, It will ask you to add a specific TXT record to your DNS records. In my case, it reported to set up the TXT as below:

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.fosscloudy.com with the following value:

z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

In your DNS provider, you'll create a new DNS TXT record with:

Record Name: _acme-challenge (you may or may not need the .fosscloudy.com suffix depending on your DNS provider.
Record Value: z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk (replace this with the value provided by Certbot)

Save your DNS settings and hit Enter in the Certbot window to trigger the check and complete the verification. You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 30 minutes and pressed enter. You can even set a lower TTL value to make this process faster.

Congratulations!! The wildcard certificate for your domain fosscloudy.com is generated. Now you can use this wildcard certificate with any sub-domain you create for your domain name. For example, I've created a sub-domain for this domain namely docs.fosscloudy.com.  It will use this wildcard SSL certificates installed for the main domain. You can access your sub-domain with HTTPS in the browser and confirm its working.

Wildcard SSL docs

Autorenewal of the SSL certificates

You can use any of these methods mentioned above to obtain your SSL certificates. But all these Let's Encrypt certificates are short-lived and will be valid only for 90 days. So it's mandatory to renew these certificates before it expire to ease the normal functioning of your websites. You can do this manually if you need or you can automate this process using cronjobs or the Certbot client.

When a certificate is installed successfully by the execution of the above methods, you will get a message similar to this:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"

This message clearly states how to renew your certificate in future with the "certbot renew" command.

Let's test the autorenewal process with the following command:

#certbot renew

This command will check whether the domain SSLs are due for renewal and renew those domain SSLs which needs renewal.

Good news is that the Certbot packages on our server come with a cronjob that will renew our SSL certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.

# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

This cron will run twice daily, but won’t renew the certificates unless they’re about to expire.

Read also

Let’s Encrypt has literally changed the way we generate, install and use SSL certificates. With its automated procedures using the Certbot tool, you can see how easily you can get your free SSL certificates in just a few seconds, from Let’s Encrypt and install them in a matter of minutes, automatically. I hope this article is informative and useful for you. Please post your valuable comments and suggestions on this.

Saheetha Shameer 12:05 am

About Saheetha Shameer

I'm working as a Senior System Administrator. I'm a quick learner and have a slight inclination towards following the current and emerging trends in the industry. My hobbies include hearing music, playing strategy computer games, reading and gardening. I also have a high passion for experimenting with various culinary delights :-)

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.