Skip to main content

Lets's Encrypt

For Ubuntu, install let's encrypt

sudo apt install letsencrypt

Along with the "Let's Encrypt" package, this command also installs the "certbot.timer" utility for automatic certificate renewal. It checks the validity of SSL certificates in the system twice a day and extends those that expire in the next 30 days. To make sure that it is running, enter

sudo systemctl status certbot.timer

Certbot can automatically install the certificate on nginx and Apache web servers. To do this, you need to install an additional package and choose the appropriate one for your web server.

apt install python3-certbot-nginx
apt install python3-certbot-apache

Run this command for nginx to obtain the SSL certificate

Replace domain-name.com with your own domain name

sudo certbot --nginx --agree-tos --preferred-challenges http -d domain-name.com

In case your nginx config file is not created, you can run standalone install and add the file path to the site specific config file latter

sudo certbot certonly --standalone -d domain-name.com

Let's encrypt certificate renewal - HTTPS for your web server / service domain

sudo certbot renew

OR using NGINX plugin

sudo certbot renew --nginx

If you receive error message about port 80 being busy then you need to stop the web server (nginx or apache) before renewing the certificate. Do not forget ot restart the server after certificate is successfully renewed.

sudo service nginx stop

If you have multiple certificates for different domains and you want to renew a specific certificate, use. The --force-renew flag tells Certbot to request a new certificate with the same domains as an existing certificate. The -d flag allows you renew certificates for multiple specific domains.

certbot certonly --force-renew -d example.com

To verify that the certificate renewed, run

sudo certbot renew --dry-run

If you do not want to stop the nginx service (as it will take down your websites) or the port 80 is still not getting free use this alternate method. Use the below command

sudo certbot certonly --manual --preferred-challenges dns -d example.com

The terminal will provide as TXT dns record which you need to update in your DNS provider account, e.g. Cloudflare. Create a new TXT record with _acme-challenge.xxxxx as the NAME field anda sceret string as the CONTENT. Ensure that TTL is set to Auto for quick dns propogation.

Then return to the terminal and press enter. Certbot will perform the necessary verification and renew the certificate. The process for new certificate is also the same, only that the certbot may ask for email address and answers to certain questions