Let’s Encrypt is a free, automated, and open certificate authority (CA). Let’s Encrypt offer free 90-day SSL certificates.
Let’s Encrypt provide two types of certificates. The standard single-domain SSL and the Wildcard SSL, which covers not only a single domain, but all of its subdomains too.
In this tutorial, we will use Certbot a free, open-source software tool for automatically issuing the Let’s Encrypt SSL Certificate and verify that your certificate is set up to renew automatically.
Step 1: Update Operating System
Update your Ubuntu 22.04 operating system to make sure all existing packages are up to date:
$ sudo apt update && sudo apt upgrade -y
Step 2: Install Apache on Ubuntu 22.04
You can install Apache via apt
package manager by executing the following command.
$ sudo apt install apache2
You can start the Apache service and configure it to run on startup by entering the following commands:
$ sudo systemctl start apache2
$ sudo systemctl enable apache2
Verify the status of the Apache
service using systemctl status
command:
$ sudo systemctl status apache2
Output:
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running)
Docs: https://httpd.apache.org/docs/2.4/
Process: 3170 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 3174 (apache2)
Tasks: 12 (limit: 2200)
Memory: 246.8M
CPU: 18.104s
CGroup: /system.slice/apache2.service
├─3174 /usr/sbin/apache2 -k start
├─3175 /usr/sbin/apache2 -k start
├─3176 /usr/sbin/apache2 -k start
Step 3: Install Certbot on Ubuntu 22.04
Now we install the Certbot client which is used to create Let’s Encrypt certificates:
$ sudo apt install certbot python3-certbot-apache
To verify the Certbot installation run:
$ certbot --version
Output:
certbot 1.21.0
Step 4: Configure Apache Web Server
Navigate to /etc/apache2/sites-available
directory and run the following command to create a configuration file for your installation:
$ sudo nano /etc/apache2/sites-available/your-domain.conf
Add the following content:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName your-domain.com
ServerAlias www.your-domain.com
DocumentRoot /var/www/html/
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined
</VirtualHost>
Save the file and Exit.
Enable the Apache virtual host:
$ sudo a2ensite your-domain.conf
After that, restart the Apache web server.
$ sudo systemctl restart apache2
Step 5: Get the Let’s Encrypt SSL certificate
To get the SSL certificate using the Certbot, type the command given below:
$ sudo certbot --apache
You will be asked to provide your valid email address and accept the term of service:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Next, you’ll be asked if you want to share your email with the Electronic Frontier Foundation to receive news and other information. If you do not want to subscribe to their content, write N.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Next, you will be asked to select the domain on which you want to install the Let’s Encrypt SSL:
Account registered.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-domain.com
2: www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
If the SSL certificate is successfully obtained, certbot displays a message to show the configuration was successful:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain.com.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain.com/privkey.pem
Your cert will expire on 2023-03-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now, you have successfully installed SSL on your website.
You can now open your website using https://
, and you’ll notice a green lock icon.
Step 6: Verifying Certbot Auto-Renewal
Let’s Encrypt certificates are valid for only ninety days. Installing Certbot will create a cronjob to renew any SSL certificate. You can run the command to check the status of the service.
$ sudo systemctl status certbot.timer
Output:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Thu 2022-12-22 16:20:05 CDT;
Trigger: Fri 2022-12-23 06:29:34 CST; 14h left
Triggers: ● certbot.service
Optionally, you can test the renewal process using the following command. The –dry-run
flag is for simulation:
$ sudo certbot renew --dry-run --agree-tos
Step 7: Revoking certificates
If you wish to remove a certificate from your server it can be revoked using a subcommand with Let’s Encrypt client. The command below can be used to revoke a particular certificate.
$ sudo certbot revoke --cert-path /etc/letsencrypt/live/your-domain.com/cert.pem
Note: Replace your-domain.com
with the domain which certificate you wish to revoke.
The process does not give a confirmation upon completion, but if you perform it again you will get a message that the certificate has already been revoked.
Comments and Conclusion
Congratulations! You have successfully installed the Let’s Encrypt SSL certificate on your domain.
If you have any questions or feedback, feel free to leave a comment.