Using Letsencrypt SSL Certificates

This post is a short summary about how to configure certbot to automatically retrieve and renew SSL certificates for your domains from LetsEncrypt. The commands apply to the current Ubuntu version 20.04.

Install Certbot

First, install certbot, which handles retrieving and renewing certificates for you:

sudo apt install certbot

Use Certbot to Get Certificates

Now you (in fact certbot) must prove to LetsEncrypt, that you really own the domain for which you apply a certificate. This is done by placing a file with some secret content into the web root directory of your domain. The procedure is like this:

  1. certbot connects to LetsEncrypt and applies for a new certificate.
  2. LetsEncrypt sends back some random data.
  3. certbot puts the random data into a file in the web root directory of your webserver.
  4. LetsEncrypt makes a web request to your domain and the file in the web root directory.
  5. If LetsEncrypt can retrieve the file and the random data it will issue the certificate including the private key and send it back to certbot

So to request a new certificate, run the following command:

sudo certbot certonly \
    --webroot --webroot-path /var/www/html \
    --agree-tos \

This command manually specifies the web root directory (here /var/www/html). There are other methods available for certbot to automatically configure Apache. But as my Apache configuration is a bit customized, I like more to update the configuration manually.

When installing certbot, it will automatically set up a cron job to regularly renew all certificates for you. You can find it in /etc/cron.d/certbot.

Configure Apache

After certbot was successful, it will store the certificates under /etc/letsencrypt/live/DOMAIN/. So to configure a virtual host, you add the following lines to refer to the certificate files:

SSLCertificateFile      /etc/letsencrypt/live/DOMAIN/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/fullchain.pem

You will need to add more lines to activate and configure SSL for apache correctly, but that will go into another post...

LinkedIn logo mail logo