Beta 42

Research and Development


Install Certbot by Let's Encrypt

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.


Install a LAMP Stack with Virtual Hosts.

Install Certbot

Add the repository:

sudo add-apt-repository ppa:certbot/certbot

Install Certbot’s Apache package with apt:

sudo apt install python-certbot-apache

Set Up the SSL Certificate

Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.

If you followed the Virtual Host Setup, you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.conf with the ServerName directive already set appropriately.

Allow HTTPS Through the Firewall

If you have the ufw firewall enabled you’ll need to adjust the settings to allow for HTTPS traffic.

You can see the current setting by typing:

sudo ufw status

To additionally let in HTTPS traffic, allow the Apache Full profile and delete the redundant Apache profile allowance:

sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following:

sudo certbot --apache -d your_domain -d www.your_domain

This runs certbot with the –apache plugin, using -d to specify the names you’d like the certificate to be valid for.

Alternatively, run:

sudo certbot --apache

to certify all domains in Virtual Host server.

Verify Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.