Let's Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public's benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial shows how to install a Let's Encrypt SSL certificate on an Ubuntu 20.04 server with either Apache or Nginx using the Certbot installation wizard. After completing this tutorial, the server will have a valid certificate and redirect all HTTP requests to HTTPS.
This tutorial assumes that you have deployed a Vultr Ubuntu server with Apache or Nginx, have a domain name pointing to your server IP address, and you are logged in as root.
The recommended installation method for Certbot is with Snap.
Verify snapd is up to date.
$ sudo snap install core; sudo snap refresh core
Remove certbot-auto
and any Certbot OS packages.
$ sudo apt-get remove certbot
Install Certbot with Snap.
$ sudo snap install --classic certbot
Link Certbot to /usr/bin
.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Run certbot
to install the certificate. Full examples are below, here are descriptions of the command line options:
--apache: Use the Apache web server
--nginx: Use the nginx web server
--redirect: Redirect all HTTP requests to HTTPS.
-d example.com -d www.example.com: Install a multiple domain (SAN) certificate. You may use up to 100 -d domain entries.
-m admin@example.com: The notification email address for this certificate.
--agree-tos: Agree to the terms of service.
Use certbot --help
for more information. See the Certbot FAQ for more information about SAN certificates.
Run Certbot for Apache.
# certbot --apache --redirect -d example.com -d www.example.com -m admin@example.com --agree-tos
Before running Certbot, make sure server_name is set properly. Edit your Nginx configuration:
# nano /etc/nginx/conf.d/default.conf
Update server_name to include your domain name.
server {
server_name example.com www.example.com;
Save and exit the file.
Run Certbot for Nginx.
# certbot --nginx --redirect -d example.com -d www.example.com -m admin@example.com --agree-tos
Let's Encrypt certificates are valid for 90 days. The Certbot wizard updates the systemd timers and crontab to automatically renew your certificate.
Verify the timer is active.
# systemctl list-timers | grep 'certbot\|ACTIVATES'
Verify the crontab entry exists.
# ls -l /etc/cron.d/certbot
Verify the renewal process works with a dry run.
# certbot renew --dry-run
Installing a free Let's Encrypt certificate is simple with Certbot. For more information, see the official Certbot installation documentation.