./Иван

$: cat tags > Certbot | Lets Encrypt | сервер | убунту | security | SSL | UFW

How to install Let’s Encrypt on Ubuntu 22.04 server

Some notes and thoughts on How to install Let’s Encrypt on Ubuntu 22.04 server.

If you’ve read my previous article and installed WordPress on an Ubuntu server, you now need this article to ensure a secure connection on your site.

If you’ve come this far, you probably already know what Let’s Encrypt is and you’ve simply come to get your free SSL certificate. That’s why I won’t drown you with details and empty stories about what Let’s Encrypt is.

Well, welcome to another helpful tutorial that I’ve written down here so that I too have a permanent reminder.

So you need an Ubuntu server, SSH access to the server, and some basic server knowledge or an excellent ability to follow instructions.

Install Certbot on Ubuntu server

To get an SSL certificate and renew it with Let’s Encrypt you need to install Certbot from the official Ubuntu repository.

First update:

apt update

We are now installing two packages, certbot and python3-certbot-apache (integrates Certbot with Apache, automate obtaining a certificate and configuring HTTPS within your web server).

apt install certbot python3-certbot-apache

Now it will be necessary to check the apache configuration you have to make sure that certbot will be able to work correctly.

Now open the apache configuration file of your domain. You manually set this file earlier. Replace your-domain-conf.conf with the name of your file:

nano /etc/apache2/sites-available/your-domain-conf.conf

There must be two lines in this file that are correctly written like this, Bold lines are important::

<VirtualHost *:80>
    ServerName your-domain
    ServerAlias www.your-domain
    ServerAdmin your-mail-example
    DocumentRoot /var/www/your-domain-exampe
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Directory /var/www/your-domain-example/>
        AllowOverride All
    </Directory>
</VirtualHost>

Check that apache has the correct syntax:

apache2ctl configtest

This is the correct output:

# apache2ctl configtest
Syntax OK

Restart apache:

systemctl reload apache2

Allow HTTPS Through the Ubuntu Firewall

Depending on whether https traffic is allowed in the firewall, certain steps need to be taken.

If traffic is not allowed, it is necessary to allow it.

Check status with:

ufw status

If you used my earlier tutorial for installing WordPress on an Ubuntu server, you will see this:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Apache                     ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
Apache (v6)                ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)

To allow for HTTPS traffic, run:

ufw allow 'Apache Full'

After that, delete previous profile:

ufw delete allow 'Apache'

It is ready to run Certbot and obtain your certificates.

Obtaining an SSL certificate with with Certbot on Ubuntu

Just run the following command:

certbot --apache

You’ll need to answer a few questions, here’s a little help from me:

Enter your e-mail address:

# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):

Type y then press Enter:

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Type y or n then press Enter:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Please, obtain SSL for domain and www, enter 1 2 then press Enter:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: os.rebootos.com
2: www.os.rebootos.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

And the finale:

Requesting a certificate for os.rebootos.com and www.os.rebootos.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/os.rebootos.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/os.rebootos.com/privkey.pem
This certificate expires on 2023-02-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for os.rebootos.com to /etc/apache2/sites-available/os.rebootos.com-le-ssl.conf
Successfully deployed certificate for www.os.rebootos.com to /etc/apache2/sites-available/os.rebootos.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://os.rebootos.com and https://www.os.rebootos.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This means the process is complete and SSL has been issued on the Ubuntu server.

How do I check if SSL will be automatically renewed in the future?

Checking if SSL will be renewed on an Ubuntu server can be done as follows:

Run the command:

systemctl status certbot.timer

If you get this, it is OK:

# systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Tue 2022-11-08 09:15:15 EET; 25min ago
    Trigger: Tue 2022-11-08 21:54:46 EET; 12h left
   Triggers: ● certbot.service

Nov 08 09:15:15 os.rebootos.com systemd[1]: Started Run certbot twice daily.

You can even test the reissue in advance:

certbot renew --dry-run

and this is the valid answer:

 certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/os.rebootos.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for os.rebootos.com and www.os.rebootos.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/os.rebootos.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If everything went well, kudos to you, congratulations and I’m sure you feel satisfied 🙂

Please, if you have a few seconds of time, share this article with someone who also needs help with issuing an SSL certificate on an Ubuntu server. Thank you!

Author, Ivan Blagojević

Engineering Lead at Adriahost. I spend most of my time on Linux operating systems with cPanel/WHM panels.

I help people solve problems and choose the right hosting for their site.

I write here in my spare time.

Time4VPS - VPS hosting in Europe