Managing SSL certificates with Let's Encrypt
Let’s Encrypt issues free, automated SSL certificates. Before it existed, getting HTTPS meant paying a CA and manually managing certificate files. Now it’s a one-command setup with automatic renewal.
How it works
Let’s Encrypt uses the ACME protocol to verify you control a domain. The most common verification method (HTTP-01) places a file on your web server that Let’s Encrypt’s servers check.
Steps:
- Certbot requests a certificate for your domain
- Let’s Encrypt gives certbot a challenge token
- Certbot places the token at a specific URL on your server
- Let’s Encrypt verifies the token
- Certificate is issued
Installation
sudo apt install certbot
For Apache:
sudo apt install python3-certbot-apache
For Nginx:
sudo apt install python3-certbot-nginx
Getting a certificate
For Apache:
sudo certbot --apache -d example.com -d www.example.com
For Nginx:
sudo certbot --nginx -d example.com -d www.example.com
Standalone (certbot runs its own temporary web server):
sudo certbot certonly --standalone -d example.com
Webroot (use existing web server, no plugin needed):
sudo certbot certonly --webroot -w /var/www/html -d example.com
Certbot modifies your web server config to use the certificate and redirects HTTP to HTTPS.
Certificate locations
Certificates are stored in /etc/letsencrypt/live/example.com/:
fullchain.pem— certificate + intermediate chainprivkey.pem— private keycert.pem— just the certificatechain.pem— just the intermediate chain
Web servers typically need fullchain.pem and privkey.pem.
Automatic renewal
Certbot installs a systemd timer or cron job for automatic renewal:
systemctl list-timers | grep certbot
Test renewal:
sudo certbot renew --dry-run
This simulates renewal without actually requesting a new certificate. If it succeeds, automatic renewal will work.
Certificates are renewed when they have 30 days or less remaining.
Wildcard certificates
Wildcard certificates cover all subdomains. They require DNS-01 challenge (you need to add a TXT record to your DNS):
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com
Certbot will tell you what TXT record to add. After adding it, press Enter to continue.
For automated DNS challenges, certbot has plugins for various DNS providers:
sudo apt install python3-certbot-dns-cloudflare
Multiple domains
Add multiple domains to one certificate:
sudo certbot --nginx -d example.com -d www.example.com -d api.example.com -d blog.example.com
Or get separate certificates:
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --nginx -d api.example.com
Revoking certificates
If a private key is compromised:
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
Troubleshooting
Port 80 must be accessible. Let’s Encrypt needs to reach your server on port 80 for HTTP-01 challenge. Check firewall rules.
DNS must resolve. The domain must point to your server’s IP before you request a certificate.
Rate limits. Let’s Encrypt has rate limits: 50 certificates per registered domain per week, 5 duplicate certificates per week. Don’t repeatedly retry if you’re hitting limits.
Check certificate expiry:
sudo certbot certificates
# or
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
Force renewal:
sudo certbot renew --force-renewal
Common mistakes
Not testing renewal. Getting the certificate is easy. Automatic renewal is what matters. Always run certbot renew --dry-run.
Blocking port 80. Let’s Encrypt needs port 80 for verification. Don’t close it after getting the certificate — renewal needs it too.
Forgetting to reload web server. Certbot usually handles this, but if you’re using certonly, you need to reload Apache/Nginx yourself.
Using standalone mode in production. It stops your web server briefly to bind port 80. Use the Apache or Nginx plugins instead.
Remarks
Let’s Encrypt and certbot made HTTPS free and automatic. There’s no excuse for running a website without HTTPS anymore. Set it up, verify renewal works, and forget about it. The certificates renew themselves. If you’re running a web server on Linux, this should be one of the first things you configure.
Related Posts
Vim survival guide for Linux admins
The minimum vim knowledge you need to survive on a Linux server. Editing config files without wanting to throw your keyboard.
Linux memory management: free, vmstat, and /proc
Understanding how Linux uses memory. Reading free correctly, using vmstat, and what /proc/meminfo actually tells you.
tmux: terminal multiplexing made simple
Using tmux to manage terminal sessions. Panes, windows, and why your SSH sessions should survive disconnects.