SSL / TLS
Obtain and auto-renew free SSL certificates from Let’s Encrypt using Certbot.
Contents
Install Certbot
# Ubuntu with NGINX
sudo apt install -y certbot python3-certbot-nginx
# Ubuntu with Apache
sudo apt install -y certbot python3-certbot-apache
# Or use snap (always latest version)
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotIssue a Certificate
# NGINX — auto-configure HTTPS
sudo certbot --nginx -d example.com -d www.example.com
# Apache — auto-configure HTTPS
sudo certbot --apache -d example.com -d www.example.com
# Standalone (no web server running)
sudo certbot certonly --standalone -d example.com
# Webroot (web server must be running)
sudo certbot certonly --webroot -w /var/www/html -d example.comWildcard Certificates
Wildcard certs (*.example.com) require DNS challenge. Requires DNS API access.
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d "example.com"
# Certbot will prompt you to add a TXT record:
# _acme-challenge.example.com TXT "VERIFICATION_VALUE"Auto-Renewal
# Certbot installs a systemd timer automatically. Verify it's active:
sudo systemctl status certbot.timer
# Test renewal without actually renewing
sudo certbot renew --dry-run
# Force renewal
sudo certbot renew --force-renewalCertificate File Locations
# Certificates are stored in:
/etc/letsencrypt/live/example.com/
# Key files:
cert.pem # domain certificate
privkey.pem # private key
chain.pem # intermediate CA chain
fullchain.pem # cert + chain (use this in most configs)NGINX SSL Configuration
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}