Setup Let’s Encrypt SSL on Ubuntu 20/18/16 LTS

Let’s Encrypt is a fantastic certificate authority (CA) offering free SSL / TLS certificates suitable for production environments. This means you can secure your website with a valid SSL certificate without any cost. The crucial point is that certificate requests must originate from the server where the domain is actively pointed. Let’s Encrypt performs a DNS check to verify the domain’s association with the server before issuing the certificate. This article will guide you through installing the Let’s Encrypt client on your Ubuntu system and obtaining an SSL certificate for your domain, ensuring your website benefits from secure HTTPS connections. This is essential for building trust with your users and improving your search engine ranking. The process of Setup Let’s Encrypt SSL on Ubuntu is streamlined for easy integration.

Prerequisites

Before proceeding with the installation and configuration of Let’s Encrypt, ensure you have the following:

• A running Ubuntu server (versions 20.04, 18.04, or 16.04 LTS).
• A registered domain name pointed to your Ubuntu server’s public IP address.
• Root or sudo privileges on the Ubuntu server.
• A web server (Apache or Nginx) already installed and configured to serve your website.

Step 1 – Installing Snapd

Snaps are a universal package manager compatible with major Linux distributions, including Ubuntu, Linux Mint, Debian, and Fedora. This makes installing Certbot, the Let’s Encrypt client, incredibly simple and consistent across different environments.

Snap comes pre-installed on Ubuntu 16.04 LTS and later. To confirm you have the most recent version of snapd, execute the following commands in your terminal:

$ sudo snap install core; sudo snap refresh core

This command first installs the core snap, which provides the underlying snap runtime, and then refreshes it to the latest version. This ensures you have a stable and up-to-date snap environment.

If you have previously installed Certbot using apt, it’s important to remove it to avoid conflicts. The snap version of Certbot is the recommended method.

$ sudo apt-get remove certbot

Similarly, if you installed Certbot using the certbot-auto script, delete it. This script is deprecated in favor of the snap package.

Step 2 – Installing Let’s Encrypt Client

With Snapd properly configured, installing the Let’s Encrypt client (Certbot) is a breeze. Use the following command in your terminal:

$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

The first command installs Certbot using the --classic confinement, granting it broader access to system resources, which is necessary for configuring web servers. The second command creates a symbolic link, making the certbot command available in your system’s PATH, allowing you to run it from any directory. This ensures that when you type certbot, the snap version is executed.

Step 3 – Getting an SSL Certificate

Let’s Encrypt automates the domain validation process, using challenges to verify your ownership of the domain. This process is secure and transparent. Once the Certificate Authority (CA) verifies your domain’s authenticity, an SSL certificate will be issued.

To request a certificate, use the following command, replacing example.com with your actual domain name:

$ sudo certbot certonly --standalone -d example.com  -d www.example.com

This command tells Certbot to:

• certonly: Obtain a certificate without automatically configuring a web server. This gives you more control over the configuration.
• --standalone: Use Certbot’s built-in web server to handle the domain validation challenges. This temporarily starts a web server on port 80 or 443 to prove you control the domain.
• -d example.com -d www.example.com: Specify the domain names for which you want to obtain a certificate. Include both the bare domain and the www subdomain.

During the certificate request process, Certbot will prompt you for an email address. This address is used for important notifications regarding certificate renewal and expiration. You’ll also be asked to agree to the Let’s Encrypt terms of service.

If the process is successful, Certbot will issue an SSL certificate and inform you of its location. It does not automatically create or modify VirtualHost configuration files. You will need to configure your webserver to use the certificates.

Step 4 – Checking SSL Certificate

Upon successful completion, Let’s Encrypt will issue the SSL certificate. You can verify its presence by navigating to the specified directory and listing the files:

$ cd /etc/letsencrypt/live/example.com
$ ls

This should produce the following output:

cert.pem
chain.pem
fullchain.pem
privkey.pem

Here’s a breakdown of these files:

• cert.pem: The certificate for your domain.
• chain.pem: The Let’s Encrypt intermediate certificate.
• fullchain.pem: Combines cert.pem and chain.pem. This is the file you should typically use in your web server configuration.
• privkey.pem: The private key for your certificate. Keep this file secure!

Step 5 – Configuring SSL VirtualHost

Now that you have the SSL certificate, you need to configure your web server (Nginx or Apache) to use it. Edit the virtual host configuration file for your website and add the appropriate entries.

Nginx:

Open your Nginx virtual host configuration file (e.g., /etc/nginx/sites-available/example.com) and add or modify the following lines within the server block:

ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Remember to replace /etc/nginx/sites-available/example.com with the actual path to your configuration file and example.com with your actual domain. After making these changes, restart Nginx:

sudo systemctl restart nginx

Apache:

Open your Apache virtual host configuration file (e.g., /etc/apache2/sites-available/example.com-le-ssl.conf) and add or modify the following lines within the <VirtualHost *:443> block:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Again, replace /etc/apache2/sites-available/example.com-le-ssl.conf with the actual path to your configuration file and example.com with your actual domain. Also, ensure that you have enabled the SSL module for Apache:

sudo a2enmod ssl
sudo a2ensite example.com-le-ssl.conf
sudo systemctl restart apache2

Step 6 – SSL Auto Renew

Certbot automatically sets up a cron job or systemd timer to renew your certificates before they expire. This is a crucial feature, as Let’s Encrypt certificates are only valid for 90 days. Unless your setup changes, you won’t need to manually run Certbot again.

You can test the automatic certificate renewal process by running the following command:

$ sudo certbot renew --dry-run

This command simulates the renewal process without actually renewing the certificates. It allows you to identify any potential issues before they affect your website.

The certbot renew command is typically installed in one of the following locations:

• /usr/bin/certbot
• /snap/bin/certbot

The automated renewal process is managed by a systemd timer or a cron job. You can check the status of the systemd timer using:

systemctl list-timers | grep certbot

Alternatively, you can check the cron jobs using:

crontab -l

For more detailed information on securing Apache with Let’s Encrypt, you can refer to external resources.

For those seeking cost-effective SSL solutions, explore different SSL certificate plans available.

Alternative Solutions for Setting up Let’s Encrypt SSL on Ubuntu

While the above method using Certbot and Snapd is a popular and convenient approach, there are alternative ways to achieve the same goal of securing your Ubuntu server with Let’s Encrypt SSL certificates. Here are two such alternatives:

1. Using the certbot package from apt with Web Server Plugins

Instead of using the certbot snap package, you can install certbot directly from the Ubuntu package repositories using apt. This approach integrates more closely with your web server (Apache or Nginx) through plugins.

Explanation:

This method relies on Certbot’s plugins that automatically configure your web server to use the obtained certificates. Certbot can read your web server’s configuration files and modify them to include the SSL settings. This simplifies the process compared to manually editing the virtual host files. This is another way of Setup Let’s Encrypt SSL on Ubuntu.

Steps:

1. Install Certbot and the appropriate plugin:

   sudo apt update
   sudo apt install certbot python3-certbot-nginx # For Nginx
   # OR
   sudo apt install certbot python3-certbot-apache # For Apache

2. Run Certbot with the web server plugin:

   sudo certbot --nginx # For Nginx
   # OR
   sudo certbot --apache # For Apache

   Certbot will automatically detect your web server configuration and guide you through the process. It will ask which domain you want to secure and handle the SSL configuration for you.

3. Verify the Configuration:

   After Certbot completes, check your web server’s virtual host configuration files to ensure that the SSL settings are correctly configured.

4. Auto-Renewal:

   The certbot package from apt also sets up automatic renewal using a systemd timer or cron job, similar to the snap package.

2. Using ACME.sh

ACME.sh is a pure Unix shell script implementing the ACME protocol (the protocol used by Let’s Encrypt). It doesn’t require any dependencies like Python and is therefore lightweight and suitable for systems with limited resources.

Explanation:

ACME.sh is a shell script client for Let’s Encrypt. It obtains, renews, and installs certificates. It’s particularly useful when you want a minimal dependency footprint or when you have specific requirements for certificate management. This is also a valid process of Setup Let’s Encrypt SSL on Ubuntu.

Steps:

1. Install ACME.sh:

   curl https://get.acme.sh | sh

   This command downloads and installs ACME.sh in your home directory (~/.acme.sh). You might need to log out and back in to activate the aliases.

2. Issue the Certificate:

   acme.sh --issue -d example.com -d www.example.com --webroot /var/www/example.com

   Replace example.com and www.example.com with your actual domain names, and /var/www/example.com with the root directory of your website. ACME.sh will create the necessary challenge files in the specified webroot directory for Let’s Encrypt to verify your domain ownership.

3. Install the Certificate:

   acme.sh --installcert -d example.com 
       --certpath /etc/nginx/ssl/example.com.crt  
       --keypath  /etc/nginx/ssl/example.com.key 
       --fullchainpath /etc/nginx/ssl/example.com.fullchain.crt

   This command installs the certificate and key files to the specified locations. Adapt the paths according to your web server configuration. Create the /etc/nginx/ssl/ directory if it doesn’t exist.

4. Configure your Web Server:

   Manually configure your web server (Nginx or Apache) to use the installed certificates. Refer to the web server’s documentation for specific instructions.

5. Auto-Renewal:

   ACME.sh automatically sets up a cron job for certificate renewal.

These alternative solutions offer different approaches to obtaining and managing Let’s Encrypt SSL certificates on Ubuntu, catering to various preferences and system requirements. Choose the method that best suits your needs and technical expertise. The main goal of this article is to easily Setup Let’s Encrypt SSL on Ubuntu.