Lets's Encrypt
For Ubuntu, install let's encrypt
sudo apt install letsencrypt
Along with the "Let's Encrypt" package, this command also installs the "certbot.timer" utility for automatic certificate renewal. It checks the validity of SSL certificates in the system twice a day and extends those that expire in the next 30 days. To make sure that it is running, enter
sudo systemctl status certbot.timer
Certbot can automatically install the certificate on nginx and Apache web servers. To do this, you need to install an additional package and choose the appropriate one for your web server.
apt install python3-certbot-nginx
apt install python3-certbot-apache
Run this command for nginx to obtain the SSL certificate
Replace domain-name.com with your own domain name
sudo certbot --nginx --agree-tos --preferred-challenges http -d domain-name.com
In case your nginx config file is not created, you can run standalone install and add the file path to the site specific config file latter
sudo certbot certonly --standalone -d domain-name.com
Let's encrypt certificate renewal - HTTPS for your web server / service domain
sudo certbot renew
OR using NGINX plugin
sudo certbot renew --nginx
If you receive error message about port 80 being busy then you need to stop the web server (nginx or apache) before renewing the certificate. Do not forget ot restart the server after certificate is successfully renewed.
sudo service nginx stop
If you have multiple certificates for different domains and you want to renew a specific certificate, use. The --force-renew
flag tells Certbot to request a new certificate with the same domains as an existing certificate. The -d
flag allows you renew certificates for multiple specific domains.
certbot certonly --force-renew -d example.com
To verify that the certificate renewed, run
sudo certbot renew --dry-run
If you do not want to stop the nginx service (as it will take down your websites) or the port 80 is still not getting free use this alternate method. Use the below command
sudo certbot certonly --manual --preferred-challenges dns -d example.com
The terminal will provide as TXT dns record which you need to update in your DNS provider account, e.g. Cloudflare. Create a new TXT record with _acme-challenge.xxxxx as the NAME field anda sceret string as the CONTENT. Ensure that TTL is set to Auto for quick dns propogation.
Then return to the terminal and press enter. Certbot will perform the necessary verification and renew the certificate. The process for new certificate is also the same, only that the certbot may ask for email address and answers to certain questions