Table of Contents


for Nginx


1 How To Use Certbot to Retrieve Let's Encrypt SSL Certificates on Ubuntu 18.04

1.1 Introduction

Let’s Encrypt is a service offering free SSL certificates through an automated API. The most popular Let’s Encrypt client is EFF’s Certbot.

Certbot offers a variety of ways to validate your domain, fetch certificates, and automatically configure Apache and Nginx. In this tutorial, we’ll discuss Certbot’s standalone mode and how to use it to secure other types of services, such as a mail server or a message broker like RabbitMQ.

We won’t discuss the details of SSL configuration, but when you are done you will have a valid certificate that is automatically renewed. Additionally, you will be able to automate reloading your service to pick up the renewed certificate.

1.2 Prerequisites

Before starting this tutorial, you will need:

An Ubuntu 18.04 server with a non-root, sudo-enabled user and basic firewall set up, as detailed in this Ubuntu 18.04 server setup tutorial. A domain name pointed at your server, which you can accomplish by following “How to Set Up a Host Name with DigitalOcean.” This tutorial will use throughout. Port 80 or 443 must be unused on your server. If the service you’re trying to secure is on a machine with a web server that occupies both of those ports, you’ll need to use a different mode such as Certbot’s webroot mode.

1.3 Step 1 — Installing Certbot

Ubuntu includes the Certbot client in their default repository, but it’s a bit out of date. Instead, we’ll install it from Certbot’s official Ubuntu PPA, or Personal Package Archive. These are alternative repositories that package more recent or more obscure software. First, add the repository:

sudo add-apt-repository ppa:certbot/certbot You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:

sudo apt update And finally, install the certbot package:

sudo apt install certbot Now that we have Certbot installed, let’s run it to get our certificate.

1.4 Step 2 — Running Certbot

Certbot needs to answer a cryptographic challenge issued by the Let’s Encrypt API in order to prove we control our domain. It uses ports 80 (HTTP) or 443 (HTTPS) to accomplish this. Open up the appropriate port in your firewall:

sudo ufw allow 80

Substitute 443 above if that’s the port you’re using. ufw will output confirmation that your rule was added:

Output Rule added Rule added (v6)

sudo certbot certonly  --webroot  --webroot-path  /home/vhosts/    -d

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to

Please read the Terms of Service at You must
agree in order to register with the ACME server at

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /home/vhosts/ for all unmatched domains.
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-01-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Author: Sebastian Emilio Narvaez

Created: 2020-06-11 Thu 16:53

Emacs 25.2.2 (Org mode 8.2.10)