This post is a short summary about how to configure certbot to automatically retrieve and renew SSL certificates for your domains from LetsEncrypt. The commands apply to the current Ubuntu version 20.04.
certbot, which handles retrieving and renewing certificates for
sudo apt install certbot
Use Certbot to Get Certificates
Now you (in fact
certbot) must prove to LetsEncrypt, that you really own the
domain for which you apply a certificate. This is done by placing a file with
some secret content into the web root directory of your domain. The procedure is
certbotconnects to LetsEncrypt and applies for a new certificate.
- LetsEncrypt sends back some random data.
certbotputs the random data into a file in the web root directory of your webserver.
- LetsEncrypt makes a web request to your domain and the file in the web root directory.
- If LetsEncrypt can retrieve the file and the random data it will issue the
certificate including the private key and send it back to
So to request a new certificate, run the following command:
sudo certbot certonly \ --webroot --webroot-path /var/www/html \ --agree-tos \ -m E-MAIL_ADDRESS -d DOMAIN ...
This command manually specifies the web root directory (here
/var/www/html). There are other methods available for
automatically configure Apache. But as my Apache configuration is a bit
customized, I like more to update the configuration manually.
certbot, it will automatically set up a cron job to regularly
renew all certificates for you. You can find it in
certbot was successful, it will store the certificates under
/etc/letsencrypt/live/DOMAIN/. So to configure a virtual host, you add the
following lines to refer to the certificate files:
SSLCertificateFile /etc/letsencrypt/live/DOMAIN/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
You will need to add more lines to activate and configure SSL for apache correctly, but that will go into another post...