Linux6 min read

Managing SSL certificates with Let's Encrypt

linuxssllets-encryptcertbothttpssecurity

Let’s Encrypt issues free, automated SSL certificates. Before it existed, getting HTTPS meant paying a CA and manually managing certificate files. Now it’s a one-command setup with automatic renewal.

How it works

Let’s Encrypt uses the ACME protocol to verify you control a domain. The most common verification method (HTTP-01) places a file on your web server that Let’s Encrypt’s servers check.

Steps:

  1. Certbot requests a certificate for your domain
  2. Let’s Encrypt gives certbot a challenge token
  3. Certbot places the token at a specific URL on your server
  4. Let’s Encrypt verifies the token
  5. Certificate is issued

Installation

sudo apt install certbot

For Apache:

sudo apt install python3-certbot-apache

For Nginx:

sudo apt install python3-certbot-nginx

Getting a certificate

For Apache:

sudo certbot --apache -d example.com -d www.example.com

For Nginx:

sudo certbot --nginx -d example.com -d www.example.com

Standalone (certbot runs its own temporary web server):

sudo certbot certonly --standalone -d example.com

Webroot (use existing web server, no plugin needed):

sudo certbot certonly --webroot -w /var/www/html -d example.com

Certbot modifies your web server config to use the certificate and redirects HTTP to HTTPS.

Certificate locations

Certificates are stored in /etc/letsencrypt/live/example.com/:

  • fullchain.pem — certificate + intermediate chain
  • privkey.pem — private key
  • cert.pem — just the certificate
  • chain.pem — just the intermediate chain

Web servers typically need fullchain.pem and privkey.pem.

Automatic renewal

Certbot installs a systemd timer or cron job for automatic renewal:

systemctl list-timers | grep certbot

Test renewal:

sudo certbot renew --dry-run

This simulates renewal without actually requesting a new certificate. If it succeeds, automatic renewal will work.

Certificates are renewed when they have 30 days or less remaining.

Wildcard certificates

Wildcard certificates cover all subdomains. They require DNS-01 challenge (you need to add a TXT record to your DNS):

sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

Certbot will tell you what TXT record to add. After adding it, press Enter to continue.

For automated DNS challenges, certbot has plugins for various DNS providers:

sudo apt install python3-certbot-dns-cloudflare

Multiple domains

Add multiple domains to one certificate:

sudo certbot --nginx -d example.com -d www.example.com -d api.example.com -d blog.example.com

Or get separate certificates:

sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --nginx -d api.example.com

Revoking certificates

If a private key is compromised:

sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

Troubleshooting

Port 80 must be accessible. Let’s Encrypt needs to reach your server on port 80 for HTTP-01 challenge. Check firewall rules.

DNS must resolve. The domain must point to your server’s IP before you request a certificate.

Rate limits. Let’s Encrypt has rate limits: 50 certificates per registered domain per week, 5 duplicate certificates per week. Don’t repeatedly retry if you’re hitting limits.

Check certificate expiry:

sudo certbot certificates
# or
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

Force renewal:

sudo certbot renew --force-renewal

Common mistakes

Not testing renewal. Getting the certificate is easy. Automatic renewal is what matters. Always run certbot renew --dry-run.

Blocking port 80. Let’s Encrypt needs port 80 for verification. Don’t close it after getting the certificate — renewal needs it too.

Forgetting to reload web server. Certbot usually handles this, but if you’re using certonly, you need to reload Apache/Nginx yourself.

Using standalone mode in production. It stops your web server briefly to bind port 80. Use the Apache or Nginx plugins instead.

Remarks

Let’s Encrypt and certbot made HTTPS free and automatic. There’s no excuse for running a website without HTTPS anymore. Set it up, verify renewal works, and forget about it. The certificates renew themselves. If you’re running a web server on Linux, this should be one of the first things you configure.

Related Posts