# Let's Encrypt(Certbot) free SSL with Nginx/Apache configurations on ubuntu (24.04 | 22.04 | 20.04)

Certbot is part of EFF's effort to encrypt the entire internet. Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate is. Certbot and Let's Encrypt can automate away the pain and let you turn on and manage HTTPS with simple setup commands. It's totally free to use.

It's not required to use Let's Encrypt to obtain an SSL, you have the flexibility to use any Certificate Authority you choose.

This is the tutorial to help you to install the Let's Encrypt client on Ubuntu 20.04 Linux system.

### Prerequisites:

* A running Ubuntu system with non-root, sudo enabled user.
    
* A fully registered domain name pointed to the ubuntu server.
    
* Server running engine Nginx or apache. (We will use Nginx for this tutorial)
    
* Port 80 or 443 must be unused on your server.
    

**Note:** *Installation method is the same for Apache too, only the plugins used are different.*

### Installation:

#### 1\. Installing Certbot

Snap package is the easiest way for installing certbot on the Ubuntu system. Snap packages work on nearly all Linux flavors, but they required that you've installed snapd first in order to manage snap packages. Actually, Certbot is a third-party service that makes it easier to install Let's Encrypt. First SSH to the server, update the repository server:

```bash
sudo apt update && upgrade -y
```

After the system has been successfully updated and upgraded, download services or packages that support(is required) the running of Certbot Let's Encrypt.

```bash
sudo apt install certbot python3-certbot-nginx
```

Once done, confirm the Nginx Virtualhost configuration. The nginx virtualhost is the one that guarantees success in installing Let's Encrypt. And Certbot will check Nginx to generate SSL using Let's Encrypt.

#### 2\. Nginx Virtualhost configuration

To create a Certbot SSL certificate, make sure the domain or subdomain is registered on the Virtualhost Nginx web server.

Open the file ***vim /etc/nginx/sites-available/your\_domain.conf*** and edit ***server\_name*** with your domain.

```bash
vim /etc/nginx/sites-available/your.domain.conf
```

```bash
...
...
server {
         listen 80 default_server;
         root /var/www/html;
         if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
         return 403;
         }
         index index.html index.htm index.nginx-debian.html;
         server_name your.domain.com
         return 404;
...
...
```

If ***server\_name*** matches the target Let's Encrypt is going to register. Test the Nginx service.

##### Nginx testing:

After the configuration has been saved, use the following command to check the status:

```bash
nginx -t
```

On correct configuration output will be:

```bash
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```

Restart the Nginx service:

```bash
sudo systemctl restart nginx
```

#### 3\. Allow HTTPS

You have to open ports 80 and 443, namely HTTP and HTTPS to be able to enter and exit the server through the firewall.

Check the firewall status:

```bash
ufw status
```

If the firewall is Inactive, you can continue to the next step. But firewall turn on is recommended since it protects the server from external attacks.

Now, add permissions for ports 80 and 443 i.e HTTP and HTTPS:

```bash
ufw allow http
ufw allow https
ufw allow ssh
```

Then enable Firewall/UFW:

```bash
ufw enable
```

check status:

```bash
ufw status
```

Output will be:

```bash
Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
244                        ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
244 (v6)
```

Finally, you can run Certbot and generate certificates.

#### 4\. Generate SSL

Since we're using Nginx plugin we can create certificate for DNS ***your.domain.com*** as:

```bash
certbot --nginx -d your.domain.com
```

Which will create certificate for the domain we are requesting, answer some questions for SSL. (email, agree terms, etc.) After that Let's Encrypt SSL certificate will be generated in ***/etc/nginx/sites-available/*** directory for your domain.

```bash
Output

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
```

The certificate is only valid for 90 days, we must renew the certificate every time it expires. Good thing is Certbot that has been installed already provides a service for updating scrips to cron-job (***/etc/cron.d/***).

```bash
systemctl status certbot.timer
```

Output will be:

```bash
● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Thu 2021-12-23 00:56:59 UTC; 1 months 17 days ago
  Trigger: Wed 2022-02-09 23:47:10 UTC; 18h left
```

This command will run twice a day and will renew every 30 days from the expiration date.

Test the update and ensure the renewal process works:

```bash
certbot renew --dry-run
```

```bash
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/your.domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges
```

That's it.

If the automatic renewal fails, Certbot sends an error message to the email that was registered at the time of generating the certificate.

Explore more DevOps blogs of mine: [https://scanskill.com/profile/sagar](https://scanskill.com/profile/sagar)

Thank you!
