Menu Close

With Let’s Encrypt on Ubuntu 18.04

At Apache Server (At NginX Server)

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

I will use a separate Apache virtual host file instead of the default configuration file. I recommend creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.

1. Installing Certbot
Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain an Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.

$ add-apt-repository ppa:certbot/certbot
$ apt install python-certbot-apache  (For NginX  : $ apt install python-certbot-nginx)

2. Set Up the SSL Certificate
open the virtual host file for your domain using nano or your favorite text editor:

$ vi /etc/apache2/sites-available/ (For NginX : $ nano /etc/nginx/sites-available/

Find the existing ServerName line. …ServerName; …

$ apache2ctl configtest (For NginX : $ nginx -t)
$ systemctl reload apache2 (For NginX : systemctl reload nginx)

3. Allowing HTTPS Through the Firewall

$ ufw status
$ ufw allow ‘Apache Full’ (For NginX : $ ufw allow ‘Nginx Full’)
$ ufw delete allow ‘Apache’ (For NginX : $ ufw delete allow ‘Nginx HTTP’)

4. Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following:

$ certbot –apache -d -d  (For NginX : $ certbot –nginx -d -d
Note : Becareful, –apache means double dash ( – – ) , not 1 dash (-apache)

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

After obtaining the cert, you will have the following PEM-encoded files:

  • cert.pem: Your domain’s certificate
  • chain.pem: The Let’s Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined, Your certificate file
  • privkey.pem: Your certificate’s private key

Those files location : /etc/letsencrypt/archive
Symbolic links to the most recent certificate files : /etc/letsencrypt/live/your_domain_name

Because the links will always point to the most recent certificate files, this is the path that you should use to refer to your certificate files.

Check that the files exist : $ ls -l /etc/letsencrypt/live/your_domain_name

5. Verifying Certbot Auto-Renewal
$ certbot renew –dry-run

6. Delete Domain Certificate
$ certbot delete

Certbot Error Case: Ubuntu 16.04 & 18.04, those dependencies are different

  • PIP & Python version check
  • Certbot UnicodeDecodeError : 
    $ grep -r -P ‘[^\x00-\x7f]’ /etc/apache2 /etc/letsencrypt
    Check the code or characters