4.3.12. Installing an SSL certificate from Let's encrypt using Certbot

One of the easiest ways to obtain a certificate from Let's encrypt is to use Certbot, which provides the ability to automatically pass verification and obtain the required certificate.

Installing Certbot

There are several ways to install Certbot:

The method is suitable for the following OS:
  • Fedora
  • Debian
  • Ubuntu
  • CentOS
  • ArchLinux
  • OpenSUSE

Information on other operating systems is available at official website.

  1. Connect to the server via SSH.
  2. Install Snap if it is not installed on the server:
    • Ubuntu and Debian:
      sudo apt update; sudo apt install snapd
    • Fedora and CentOS:
      sudo dnf install snapd
      • For older versions use eqnt yum insteadof dnf:
        sudo yum install snapd
  3. Install the main Snap packages:
    sudo snap install core; sudo snap refresh core
  4. Install Certbot:
    sudo snap install --classic certbot
  5. Create a symbolic link to call Certbot more conveniently:
    sudo ln -s /snap/bin/certbot /usr/bin/certbot
  1. Connect to the server via SSH.
  2. Install Python if it is not installed on the server:
    • Ubuntu and Debian:
      sudo apt update; sudo apt install python3 python3-venv libaugeas0
    • Fedora and CentOS:
      sudo dnf install python3 augeas-libs
  3. Create a virtual environment:
    sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
  4. Install Certbot:
    sudo /opt/certbot/bin/pip install certbot certbot-nginx
  5. Create a symbolic link to call Certbot more conveniently:
    sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
  6. Add a cron task to automatically issue a certificate:
    echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo renew -q" | sudo tee -a /etc/crontab > /dev/null

Obtaining a certificate

Important points:

  • You can only get a certificate for a working domain whose address records are correctly directed to the server. Get a certificate for an IP without a domain impossible.
  • Certbot requests certificates from Let's encrypt, which has its own restrictions.
  • To obtain a certificate, Certbot creates temporary files in subdirectories inside the site directories .well-known/acme-challengewhich is then polled by Let's encrypt.
  • Installing the certificate temporarily stops the web server.
  • Installing certificates for Apache and nginx web servers is completely automatic. The domains configured in the web server configuration files are used for installation. Make sure the configuration files are set up correctly.

There are two ways to get a certificate:

  • Obtaining a certificate and making changes to the web server configuration. To obtain the certificate, run the following command, in which instead of webservice specify your web server (for example, apache or nginx):
    sudo certbot --webservice
  • Obtaining a certificate without making changes to the web server configuration. To obtain the certificate, run the following command, in which instead of webservice specify your web server (for example, apache or nginx):
    sudo certbot certonly --webservice

If changes to the web server configuration were made manually or you need to check the correctness of the auto-renewal, run the following command: 

sudo certbot renew --dry-run
Content