07.06.2023

How to Get Let's Encrypt SSL on Ubuntu 20.04

SSL/TLS encryption is an integral part of the network infrastructure. Any web and mail server allows you to enable data encryption. In this article, we will look at the process of obtaining a free SSL certificate Let's Encrypt.

How to get "Let's Encrypt" SSL on Ubuntu 20.04:

Install the "Let's Encrypt" package
Standalone server for getting the "Let's Encrypt" SSL certificate
Automatically install SSL certificate on Ngix and Apache web servers
Create "Let's Encrypt Wildcard SSL certificate

Cloud Servers from €4 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel

As initial conditions, you must have a domain name. It's DNS A-record must contain the public address of your server. If the firewall is enabled, open access for HTTP and HTTPS traffic.

sudo ufw allow 80
sudo ufw allow 443

Step 1 – Installing the "Let's Encrypt" package

The process of installing the "Let's Encrypt" package with all its dependencies is extremely simple. To do this, enter the command:

sudo apt install letsencrypt

Along with the "Let's Encrypt" package, this command also installs the "certbot.timer" utility for automatic certificate renewal. It checks the validity of SSL certificates in the system twice a day and extends those that expire in the next 30 days. To make sure that it is running, enter:

sudo systemctl status certbot.timer

There are different configurations and conditions for obtaining a certificate. Let's look at some of them.

Step 2 – Standalone server for getting the "Let's Encrypt" SSL certificate

The easiest way to get an ssl certificate is to use a standalone option in Certbot. Replace domain-name.com with your domain name, run the command, and follow the instructions:

sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d domain-name.com

The certonly option means that the certificate will only be obtained without installation on any web server, standalone allows you to start your own web server for authentication, agree-tos means acceptance of the ACME server subscription agreement, which is a prerequisite, and preferred-challenges http means performing authorization using HTTP.

Step 3 – Automatic installation of the SSL certificate on nginx and Apache web servers

Certbot can automatically install the certificate on nginx and Apache web servers. To do this, you need to install an additional package and choose the appropriate one for your web server.

apt install python3-certbot-nginx
apt install python3-certbot-apache

Run this command for nginx:

sudo certbot --nginx --agree-tos --preferred-challenges http -d domain-name.com

Or this for Apache:

sudo certbot --apache --agree-tos --preferred-challenges http -d domain-name.com

Follow the instructions and Certbot will install an SSL certificate for you.

Step 4 – "Let's Encrypt" Wildcard SSL certificate

To create a wildcard certificate, the only possible challenge method is DNS. In the d parameter, you must specify both the bare domain and wildcard.

sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d domain-name.com -d *.domain-name.com

After that, place the specified TXT record on your DNS server and click continue.

If everything is well, you will see the path where your new wildcard certificate is stored and some other information.

Cloud Servers from €4 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel