Installing Certbot on Ubuntu 20.04

 

Step 1 – Installing Certbot

Certbot is a tool to obtain certificates from Let’s Encrypt and configure on your web server. Snap package is the easist way for installing certbot on Ubuntu system.

Open a terminal and execute below command to install certbot:

sudo snap install --classic certbot 

Step 2 – Generate SSL Certificate

Now, You can request SSL certificates from Let’s encrypt based on the web server.

  1. Apache – The systems running Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request certificate.
    sudo certbot --apache 

    We also use the following to install on a domain.

    sudo certbot - apache -d yourdomain.com
  2. Nginx – For the systems running Nginx web server, use below command to request for the SSL certificates.
    sudo certbot --nginx 
  3. Other Web Server – For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.

    This command will ask you for domain name and document root for the domain.

    sudo certbot certonly --webroot 
  4. No Web Server – The systems have no web server running, can also request a ssl certificate. Below command will ask your for the domain name and start a temporary web server on port 80 to complete the verification.
    sudo certbot certonly --standalone 

In all of the above cases, the domain must be pointed to your server from dns. Also insure that /.well-known/acme-challenge are served by the webserver.

Step 3 – Test SSL

Once the SSL certificate is installed on the web server, visit https://your-domain.com/ in a web browser and look for the SSL lock icon in the URL bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/.

 

Step 4 – Renew SSL Certificate

Let’s encrypt certificates are issues for 3 months only. You can renew certificate before 30 days of expiry. Certbot allows you a hassle free renewal just by running a single command.

Run the below command to renew all the certificates on that system.

sudo certbot renew 

You can also run a dry run without actual renewal. This will help you to test if SSL renewal perform well.

sudo certbot renew --dry-run 

Certbot not installing ssl certificate with “sudo certbot renew”

If Certbot fails when using “sudo certbot renew”

And you get this….

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Try make the changes to your Apache configuration by hand, and run this command.

sudo certbot certonly --apache

This has work for us 99% of the time.

SSL Will not renew with EHCP – let’s encrypt

If the auto renew is not working on EHCP, to renew your SSL certificates you are best using certbot.

Certbot Instructions for Apache on Ubuntu 18.04 LTS (bionic)

  1. SSH into the server

    SSH into the server running your HTTP website as a user with sudo privileges.

  2. Add Certbot PPA

    You’ll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:

    1. sudo apt-get update
    2. sudo apt-get install software-properties-common
    3. sudo add-apt-repository universe
    4. sudo add-apt-repository ppa:certbot/certbot
    5. sudo apt-get update
  3. Install Certbot

    Run this command on the command line on the machine to install Certbot.

    sudo apt-get install certbot python3-certbot-apache
  4. Choose how you’d like to run Certbot
    • Either get and install your certificates…

      Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.

      sudo certbot --apache
    • Or, just get a certificate

      If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, run this command.

      sudo certbot certonly --apache
  5. Test automatic renewal

    The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

    sudo certbot renew --dry-run

    The command to renew certbot is installed in one of the following locations:

    • /etc/crontab/
    • /etc/cron.*/*
    • systemctl list-timers
  6. Confirm that Certbot worked

    To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.