Let’s Encrypt is a free, automated, and open certificate authority managed by the nonprofit Internet Security Research Group (ISRG).
It provides X.509 certificates for Transport Layer Security encryption at no charge. The Let’s Encrypt certificates are valid for 90 days after which they are due for renewal.
Certbot on the other hand is a command-line utility that is used for managing Let’s Encrypt SSL certificates on a Linux system. Certbot allows you to request a new SSL certificate, automatically do the authorization and configuration of your web server. It also facilitates the manual or auto-renewal of certificates issued by the Let’s Encrypt certificate authority.
Steps to set up Let’s Encrypt
Step 1 – Install Certbot
$ sudo apt install certbot
On Ubuntu 20.04 you have the option of using the snap package manager that comes with the distro by default as follows:
$ sudo snap install --classic certbot
Step 2 – Generate SSL Certificate
You can now use Certbot to request the SSL certificate from Let’s encrypt for your web server as follows.
$ sudo certbot --apache
$ sudo certbot --nginx
The above commands will list all the domains and sub-domains that are active on your server as virtual hosts. They will be listed numerically. Follow the on-screen instructions and select the number that corresponds to the domains/sub-domains you want the certificate to be valid for.
Certbot will then proceed to configure the server appropriately.
3. Other Web Servers: For the system having any other web servers other than Apache or Nginx, you can get the certificate only but you will have to configure it manually. This method can also be used for Apache and Nginx using the certonly option. You would want to use this option if you have some custom set up on your server for Apache and Nginx.
$ sudo certbot certonly --webroot
#sudo certbot certonly --apache for manual Apache
#sudo certbot certonly --nginx for manual Nginx
Running the above command is similar to the automatic configuration process only that this time Certbot will create the certificate and print out the path where it has been stored on your file system. Make sure to take a note of the file location which you will later use in your web server configuration.
4. No Web Server – You can also set up Let’s Encrypt even if you don’t have a web server. You can use the command below. This will ask you for the domain name then start a temporary web server on port 80 to complete the verification and issue the certificate.
$ sudo certbot certonly --standalone
In all the above cases, the server through the domain must be accessible over the Internet. During the verification /.well-known/acme-challenge folder will be added for verification.
Step 3 – Test SSL
Once the SSL certificate is installed on the webserver, you can test it by simply visiting https://yourdomain.com/ in a web browser and look for the SSL lock icon in the address bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/ which will do a comprehensive audit of your Let’s Encrypt certificate. This is recommended especially if you set up your certificate manually as in the Other Web Servers set up above.
How to Renew Let’s Encrypt SSL Certificate
Let’s Encrypt certificates are issued for 3 months only. Usually, with Certbot the certificates will auto-renew so you will not have to do anything going forward. In the cases where you need to manually renew them such as when you used manual options for your setup then Certbot provides a way to renew the SSL certificate manually.
With Let’s Encrypt you can renew your certificate anytime within 30 days of expiry. You can do so by running the following command:
$ sudo certbot renew
This command will renew any certificates on your Linux system that are within 30 days of expiry.
You can also do a mock renewal just to make sure all is well before doing the actual renewal by running the following command:
$ sudo certbot renew --dry-run
That’s all! You should now be able to install Certbot on your Ubuntu 20.04 or older systems as well set up Let’s Encrypt SSL certificates as needed.