How to Install a Free Let's Encrypt SSL Certificate on CentOS 8 (Step-by-Step Guide)
Let's Encrypt is a certificate authority that allows anyone to get a free SSL/TLS certificate and provide encryption for their services (web server, email, etc.). In addition, the Certbot client allows you to automate many processes. After the server is configured correctly, you can get a certificate in a few minutes, and then renew it automatically. To do this, you must ensure that the following points are met:
- Your server has a public IP address;
- You have a domain name. In this tutorial domain-name.com used as an example, replace it with yours FQDN;
- The DNS A record of your domain name contains the IP address of your server.
Installing snapd
Certbot developers recommend using snapd to automatically manage and maintain your package. Let’s install it.
Now, start and enable it.
You also need to create the following symbolic link to enable classic snap support.
After that reboot your system.
Make sure that the latest version is installed.
Installing Certbot
Make sure that there is no Certbot on your system.
Install Cerbot.
Add the following symbolic link to ensure successful launch of Certbot.
Ways to get an SSL certificate Let's Encrypt
When running Certbot challenge you can enter multiple domain names of your site as aliases when prompted. For example, domain-name.com, www.domain-name.com.
If you don't have any web server running, use this command and follow the instructions:
It uses the HTTP port to check the response when accessing the domain name. If your web server is already running and you don't want to stop it, use the following one. You will be asked to enter the domain name and its webroot to confirm your rights to it.
Wildcard SSL certificate and DNS challenge
Another way to verify your rights to a domain name and its server is DNS challenge. And this is the only way to get a wildcard SSL certificate. You must have access to manage your site's DNS records. Use this command and follow the instructions:
Automatic certificate renewal
During the installation of Certobot, automatic certificate updates are configured. This is a timer that will check for certificates which will expire soon in the system and update them. To see if it is configured, look here:
If you see no output, you can check here:
cat /etc/cron.*/*
To test the automatic renewal process, run:
Conclusion
Setting up a free SSL/TLS certificate from Let's Encrypt on CentOS 8 using Certbot is a fast and reliable way to secure your web services with HTTPS encryption. With just a few commands and the help of snap packages, you can issue certificates, including wildcard ones, and configure automatic renewal — ensuring your website or application remains trusted and protected at all times. By following this guide, you’ve taken a major step toward improving both the security and credibility of your online presence.
FAQ
- What is Let's Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA) that issues SSL/TLS certificates for encrypting internet traffic, especially for web servers and other services. - Is Let's Encrypt really free?
Yes, Let’s Encrypt certificates are completely free and trusted by all major browsers and platforms. - What is Certbot and why is it used?
Certbot is an official tool from the Electronic Frontier Foundation (EFF) that automates the process of obtaining, installing, and renewing Let’s Encrypt SSL certificates. - Can I get a wildcard certificate?
Yes, you can obtain a wildcard certificate using the DNS-01 challenge method with Certbot. This requires access to your DNS provider to update TXT records. - What if I already have a running web server?
You can use the --webroot method to verify your domain ownership without stopping your server, by specifying the root directory of your website. - How often do I need to renew my certificate?
Let's Encrypt certificates are valid for 90 days, but Certbot sets up automatic renewal by default using systemd timers or cron jobs. - How can I test if automatic renewal is working?
Use the command certbot renew --dry-run to simulate the renewal process and ensure everything is configured correctly.