How to Install Let’s Encrypt SSL on Ubuntu with Certbot

Free SSL Certificates with Certbot

Let’s Encrypt provides free SSL certificates for your websites to use secure connections. Certbot is free open source software that allows you to easily create Let’s Encrypt SSLs on your unmanaged Linux server. Log into SSH as root to begin.

Install Certbot in Ubuntu 20.04

Instead of the older python-certbot-apache package, Certbot now recommends using the snapd package manager to install Certbot in Ubuntu. InMotion Cloud Server Hosting is incompatible with snapd at this time, but Python Installs Packages (PIP) works just as well.

Install Certbot in Ubuntu with PIP

Cloud server users can install Certbot in Ubuntu with PIP.

  1. First, install PIP:
    sudo apt install python3 python3-venv libaugeas0
  2. Set up a virtual environment:
    sudo python3 -m venv /opt/certbot/
    sudo /opt/certbot/bin/pip install --upgrade pip
  3. Install Certbot on Apache (or NGINX):
    sudo /opt/certbot/bin/pip install certbot certbot-apache
    sudo /opt/certbot/bin/pip install certbot certbot-nginx
  4. Create a symlink to ensure Certbot runs:
    sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Install Certbot in Ubuntu with snapd

Our Dedicated Server Hosting users can use snapd.

  1. Install snapd:
    sudo apt install snapd
  2. Ensure you have the latest snapd version installed:
    sudo snap install core; sudo snap refresh core
  3. Install Certbot with snapd:
    sudo snap install --classic certbot
  4. Create a symlink to ensure Certbot runs:
    sudo ln -s /snap/bin/certbot /usr/bin/certbot

Create an SSL Certificate with Certbot

Run Certbot to create SSL certificates and modify your web server configuration file to automatically redirect HTTP requests to HTTPS. Or, add “certonly” to create the SSL certificates without modifying system files (recommended if hosting staging sites that should not be forced to use an SSL).

  1. Choose the best option for your needs.
    Create SSL certs for all domains and configure redirects in the web server:
    sudo certbot --apache
    sudo certbot --nginx

    Create SSL certs for a specified domain (recommended if you’re using your system hostname):
    sudo certbot --apache -d example.com -d www.example.com

    Only install SSL certs:
    sudo certbot certonly --apache
    sudo certbot certonly --nginx
  2. Enter an email address for renewal and security notices.
  3. Agree to the terms of service.
  4. Specify whether to receive emails from EFF.
  5. If prompted, choose whether to redirect HTTP traffic to HTTPS – 1 (no redirect, no further changes to the server) or 2 (redirect all HTTP requests to HTTPS).

SSL Maintenance and Troubleshooting

After you install a Let’s Encrypt certificate on your Ubuntu Certbot setup, you can test your website SSL status at https://WhyNoPadlock.com to identify mixed content errors.

The certificate files for each domain is stored in:

cd /etc/letsencrypt/live

Let’s Encrypt certificates expire after 90 days. To prevent SSLs from expiring, Certbot checks your SSL status twice a day and renews certificates expiring within thirty days. You can view settings with Systemd or cron.d.

systemctl show certbot.timer
cat /etc/cron.d/certbot

Ensure the renewal process works:

sudo certbot renew --dry-run

SSL Improvements

Having an SSL cert and 301 redirects to force HTTPS aren’t always enough to prevent hacks. Cyber attackers have found ways to bypass both security practices to infiltrate server communications. 

HTTP Strict Transport Security (HSTS) is a security HTTP header that addresses this by telling web browsers to only serve your website when received with a valid SSL cert. If the browser receives an insecure connection, it rejects the data altogether to protect the user. It is easy to configure HSTS within your web server (e.g. Apache and NGINX).

If you don’t need cPanel, don't pay for it. Only pay for what you need with our Cloud VPS solutions.

check markCentOS, Debian, or Ubuntu check markNo cPanel Bloat check markSSH Key Management

IC
InMotion Hosting Contributor

More Articles by InMotion Hosting

Comments

It looks like this article doesn't have any comments yet - you can be the first. If you have any comments or questions, start the conversation!

Was this article helpful? Let us know!