---
title: "Install Let&#8217;s Encrypt Free SSL Certificate on Ubuntu with Certbot"
description: "Let's Encrypt is a free, automated Certificate Authority that provides trusted TLS/SSL certificates to enable secure HTTPS connections. This improves website security, SEO, and user trust while..."
url: https://www.inmotionhosting.com/support/website/ssl/lets-encrypt-ssl-ubuntu-with-certbot/
date: 2026-04-15
modified: 2026-04-15
author: "Carrie Smaha"
categories: ["Secure Socket Layer (SSL)"]
type: post
lang: en
---

# Install Let&#8217;s Encrypt Free SSL Certificate on Ubuntu with Certbot

![How to Install Let](https://www.inmotionhosting.com/support/wp-content/uploads/2020/03/How-to-Install-Lets-Encrypt-Free-SSL-Certificate-with-Cerbot-1024x538.png)

Let’s Encrypt is a free, automated Certificate Authority that provides trusted **TLS/SSL certificates** to enable secure HTTPS connections. This improves website security, SEO, and user trust while eliminating browser warnings.

**[Certbot](https://certbot.eff.org/)** (from the Electronic Frontier Foundation) is the most popular tool for obtaining and automatically renewing Let’s Encrypt certificates on Linux servers.

This guide is tailored for **unmanaged Ubuntu servers** (including InMotion Hosting [VPS](/vps-hosting), [Cloud](/cloud-vps), and [Dedicated](/dedicated-servers)). It covers installation methods suitable for InMotion environments, certificate issuance for **Apache** or **NGINX**, automatic renewal, and additional hardening steps.

**Applies to:** Ubuntu 20.04, 22.04, and 24.04 LTS

## Prerequisites

Before starting:

- A running Ubuntu server with **root** or sudo access via [SSH](https://www.inmotionhosting.com/support/server/ssh/how-to-login-ssh/).
- A registered domain name with **A/AAAA records** pointing to your server’s public IP.
- Your web server (**Apache** or **NGINX**) installed and running.
- Ports **80 (HTTP)** and **443 (HTTPS)** open in your firewall (e.g., UFW) and any hosting provider security groups. Certbot uses HTTP-01 validation by default, which requires port 80.

```
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
```

- (Optional but recommended) A non-root user with sudo privileges for daily operations.

**Important Note for InMotion Cloud VPS Servers:** Snapd (the recommended installation method by Certbot) is currently incompatible. Use the **APT** or **PIP** methods below instead. Dedicated servers may support Snapd.

## How to Install Let’s Encrypt on Ubuntu with Certbot

### Step 1: Update Your System

Always start with a fresh package index:

```
sudo apt update && sudo apt upgrade -y
```

### Step 2: Install Certbot

Choose the method best for your environment.

#### Recommended for Most InMotion Users: APT Method (Ubuntu 20.04+)

This uses Ubuntu’s repositories and works reliably on InMotion’s Cloud VPS and Dedicated Servers.

```
sudo apt update
```

For **Apache**:

```
sudo apt install certbot python3-certbot-apache -y
```

For **NGINX**:

```
sudo apt install certbot python3-certbot-nginx -y
```

#### Alternative: PIP Method (Virtual Environment – Good for Isolation on Cloud Servers)

If APT packages are outdated or you prefer isolation:

```
sudo apt install python3 python3-venv libaugeas0 -y

sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-apache   # or certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
```

#### Snap Method (Dedicated Servers Only – Official Recommended)

```
sudo apt install snapd -y
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```

**Tip:** After installation, verify with `certbot --version`. The latest Certbot (as of 2026) supports modern ACME protocols and improved renewal handling.

### Step 3: Obtain and Install Your SSL Certificate

Run Certbot with the appropriate plugin. It will:

- Verify domain ownership (via HTTP challenge).
- Obtain the certificate.
- (Optional) Automatically configure your web server for HTTPS and set up an HTTP-to-HTTPS redirect.

#### For Apache

```
sudo certbot --apache -d example.com -d www.example.com
```

#### For Nginx

```
sudo certbot --nginx -d example.com -d www.example.com
```

#### Alternatives

- **Specific domains only:** Always specify -d flags for precision (especially if using the system hostname).
- **Cert-only mode** (no automatic config changes – useful for custom setups or staging):

```
sudo certbot certonly --apache -d example.com -d www.example.com
```

or `--nginx`.

During the interactive prompts:

1. Enter your **email** (for renewal notices and security alerts from Let’s Encrypt).
2. Agree to the Let’s Encrypt Terms of Service.
3. (Optional) Share your email with EFF.
4. Choose redirect option: **2** (Redirect all HTTP traffic to HTTPS) is recommended for most production sites.

**Wildcard Certificates** (for `*.example.com`): Use DNS-01 validation with a plugin (e.g., `certbot-dns-cloudflare`). This requires DNS provider API credentials and is more complex—see official Certbot docs for details.

### Step 4: Verify Installation

- Certificates are stored in `/etc/letsencrypt/live/example.com/` (fullchain.pem and privkey.pem).
- Test your site: Visit `https://yourdomain.com` and check the padlock.
- Use external validators:
  - [SSL Labs](https://www.ssllabs.com/ssltest/) for detailed grade (aim for A+).
  - [Why No Padlock?](https://www.whynopadlock.com/) for mixed content issues.
- Check configuration:

```
sudo certbot certificates
```

## Automatic SSL Renewal

Let’s Encrypt certificates are valid for **90 days**. Certbot sets up automatic renewal (via systemd timer or cron) that runs twice daily and renews certificates expiring within 30 days.

- View renewal schedule:

```
systemctl status certbot.timer    # or cat /etc/cron.d/certbot
```

- Test renewal (dry-run – safe, no actual changes):

```
sudo certbot renew --dry-run
```

**Post-renewal hook example** (if needed for service reload): Add to renewal command or use `--deploy-hook "systemctl reload apache2"` (or nginx).

## Security Hardening Recommendations

An SSL certificate + redirect is a great start, but add these for better protection:

### 1. Enable HTTP Strict Transport Security (HSTS)

This tells browsers to **only** connect via HTTPS and prevents downgrade attacks.

**For Apache** (add to your VirtualHost):

```
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
```

For **NGINX** (in server block):

```
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
```

Reload your web server after changes.

### 2. Additional Best Practices

- Disable old TLS versions (1.0/1.1) in your web server config.
- Use strong ciphers and modern protocols (Certbot usually handles this well).
- Regularly monitor with `sudo certbot renew --dry-run`.
- Backup `/etc/letsencrypt/` (contains private keys – keep secure and restrict permissions: `chmod 600` on keys).
- For production: Consider DNS validation for automated wildcards if HTTP-01 isn’t feasible (e.g., behind load balancers).

## Troubleshooting Common Issues

- **“No matching server block” or validation failures:** Ensure domain points to the correct server IP and port 80 is open/accessible.
- **Connection reset / timeout:** Firewall blocking port 80, or ModSecurity rules interfering (temporarily disable if needed).
- **Permission or snap issues on InMotion Cloud:** Stick to APT/PIP methods.
- **Renewal fails:** Run the dry-run command and check logs in `/var/log/letsencrypt/`.
- **Mixed content warnings:** Update all internal links/resources to `https://` or relative URLs.
- Apache/NGINX not reloading after renewal: Add a deploy hook.

If issues persist, check the official documentation for [Certbot](https://certbot.eff.org/instructions) and [Let’s Encrypt](https://letsencrypt.org/docs/), or contact InMotion support.

## Conclusion

Following these steps gives you a free, auto-renewing Let’s Encrypt SSL certificate with proper HTTPS redirection. Your site will be more secure and perform better in search rankings.

For managed hosting options or assistance, InMotion provides [premium support](/solutions/inmotion-solutions).
