Let’s Encrypt: Get Free SSL Certificate Using Certbot

Let’s Encrypt: Get Free SSL Certificate Using Certbot

Step by step tutorial on how to use the Let’s Encrypt certbot to get a free SSL certificate and how to automatically renew it.

Above all Let’s Encrypt is open-source and it is completely free. It allows anyone to install a trusted SSL certificate on their website and benefit from the enhanced security an encrypted connection provides. Unlike a self-signed SSL certificate, a Let’s Encrypt certificate is recognized as fully verified and displays the padlock icon in the address bar of modern web browsers.

How Let’s Encrypt Works

Before issuing a certificate, Let’s Encrypt validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that the DNS record for your domain resolves to the server running the Let’s Encrypt client. Therefore the commands shown below must be executed on the server that will serve your domain for which you are issuing the certificate.

1. Installing certbot

Let’s Encrypt has an automated installer called certbot. The first step to using Let’s Encrypt to obtain an SSL certificate is to install it on your server.


sudo apt install certbot python3-certbot-nginx


sudo apt install certbot


sudo yum install epel-release
sudo yum install certbot-nginx

2. Obtaining Let’s Encrypt Certificates

Important! Before issuing a Let’s Encrypt free SSL certificate you must stop your webserver service. Otherwise, you will get the following error:

Problem binding to port 80: Could not bind to IPv4 or IPv6

If you use Nginx, execute:

sudo systemctl stop nginx

Now we can move on to the generation of the Let’s Encrypt free SSL certificate:

sudo certbot certonly --standalone --preferred-challenges http -d my-domain.com

-d option takes a domain name. You can use multiple -d options in the single command. For example:

sudo certbot certonly --standalone --preferred-challenges http -d my-domain.com -d www.my-domain.com 

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, certbot will wrap up with a message telling you the process was successful and where your certificates are stored.

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/my-domain.com/fullchain.pem. Your cert will
   expire on 2022-08-08. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew all of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le 

3. Verify Certificates

List your certs saved in /etc/letsencrypt/live/my-domain.com directory.

ls -l /etc/letsencrypt/live/my-domain.com/
total 4
-rw-r--r-- 1 root root 692 Mar  10 08:24 README
lrwxrwxrwx 1 root root  37 Mar  10 08:24 cert.pem -> ../../archive/my-domain.com/cert1.pem
lrwxrwxrwx 1 root root  38 Mar  10 08:24 chain.pem -> ../../archive/my-domain.com/chain1.pem
lrwxrwxrwx 1 root root  42 Mar  10 08:24 fullchain.pem -> ../../archive/my-domain.com/fullchain1.pem
lrwxrwxrwx 1 root root  40 Mar  10 08:24 privkey.pem -> ../../archive/my-domain.com/privkey1.pem

4. Modify the Web Server Configuration

In order for your webserver to use the Let’s Encrypt free SSL certificate, you need to specify them in its configuration. For example, if you use Nginx, you need to add the following block to your domain configuration file /etc/nginx/sites-enabled/my-domain.conf

server {
    listen 443;
    server_name my-domain.com;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/my-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-domain.com/privkey.pem;

That’s it. All things are set and done. Now you only need to start your webserver:

sudo systemctl start nginx

Finally, you can check that your website is now SSL protected. Just open the website in the browser and check if the padlock icon is available.

Lets Encrypt: A Valid Free SSL Certificate

5. Automatically Renew the Let’s Encrypt Certificates

The certificates are valid for 90 days. They can be renewed 30 days before they expire. Here we add a cron job which will automatically renew them.

So first open the crontab file:

sudo crontab -e

after that add the certbot command to run weekly:

@weekly certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --renew-hook "systemctl reload nginx" --quiet 


In this tutorial, we saw how to install a free SSL certificate from Let’s Encrypt in order to secure a website. In addition, you can check the official Let’s Encrypt website for more information and details.

One comment

Leave a Reply

Your email address will not be published.

  1. if a nexcloud is installed with lamp stack there might be some issues between apache2 and nginx ? how do I install in this case a certificate from Lets encrypt on a apache Webserver?
    regards stefan