UbuntuUbuntu Based

How To Install Certbot on Ubuntu 24.04 LTS

r00t

Install Certbot on Ubuntu 24.04

Securing your website with HTTPS has become essential in today’s digital landscape. Not only does it protect sensitive data exchanged between your server and visitors, but it also improves search engine rankings and builds trust with your audience. Let’s Encrypt offers free SSL/TLS certificates, and Certbot makes the process of obtaining and managing these certificates straightforward on Ubuntu systems. This comprehensive guide walks you through the complete process of installing Certbot on Ubuntu 24.04 LTS and securing your web applications with trusted SSL certificates.

Table of Contents

Understanding SSL, Certbot, and Let’s Encrypt

Before diving into the installation process, it’s important to understand the components involved in securing your website with HTTPS.

SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols create encrypted connections between web servers and browsers, ensuring that all data transmitted remains private and secure. When properly implemented, SSL/TLS helps prevent eavesdropping, data tampering, and forgery of website information.

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that revolutionized the SSL market by offering certificates at no cost. Before Let’s Encrypt, obtaining SSL certificates was often expensive and technically challenging, creating barriers for many website owners.

Certbot serves as an ACME (Automated Certificate Management Environment) client that interacts with the Let’s Encrypt CA to request, obtain, install, and renew SSL certificates. It automates the verification process, which typically involves proving that you control the domain for which you’re requesting a certificate.

The certificate issuance process follows these general steps:

  1. Domain validation (proving ownership)
  2. Certificate generation
  3. Installation on your web server
  4. Configuration of your web server to use the new certificates

Let’s Encrypt certificates are valid for 90 days, encouraging regular renewal and automation of the security process.

Prerequisites

Before installing Certbot on Ubuntu 24.04 LTS, ensure your system meets the following requirements:

  • An Ubuntu 24.04 LTS server with root or sudo privileges
  • A fully registered domain name pointing to your server’s IP address
  • Proper DNS configuration with A records for your domain
  • A web server installed (Apache or Nginx)
  • Firewall correctly configured to allow HTTP (port 80) and HTTPS (port 443) traffic
  • Basic familiarity with command-line operations

The commands in this tutorial assume you’ve already configured your web server to serve content for your domain. If you haven’t done this yet, you’ll need to set up virtual hosts (for Apache) or server blocks (for Nginx) before proceeding.

Method 1: Installing Certbot Using APT

The simplest and most common method for installing Certbot on Ubuntu 24.04 LTS is using the Advanced Package Tool (APT) package manager. This approach leverages Ubuntu’s official repositories, ensuring compatibility and simplified updates.

Updating Package Repositories

First, update your package lists to ensure you’re installing the latest available versions:

sudo apt update

This command refreshes your system’s package index, ensuring that you’ll download the most recent version of Certbot.

Installing Certbot and Web Server Plugins

Next, install Certbot along with the appropriate plugin for your web server. For Apache:

sudo apt install certbot python3-certbot-apache -y

For Nginx:

sudo apt install certbot python3-certbot-nginx -y

The `-y` flag automatically confirms the installation without prompting for confirmation.

Verifying Installation

After installation completes, verify that Certbot installed correctly by checking its version:

certbot --version

You should see output indicating the installed version of Certbot, confirming a successful installation.

Advantages and Limitations

The APT installation method offers several benefits:

  • Simple, straightforward installation process
  • Automatic updates through Ubuntu’s regular update system
  • Official package maintained by Ubuntu developers

However, this method may not always provide the most recent version of Certbot, as package updates can lag behind the latest releases.

Method 2: Installing Certbot Using Snapd

Snap packages offer another convenient way to install Certbot, often providing more up-to-date versions than APT repositories. Ubuntu 24.04 comes with Snapd pre-installed, making this method readily available.

Setting Up Snapd

If for some reason Snapd isn’t installed on your system, you can install it with:

sudo apt install snapd -y

Installing Certbot via Snap

With Snapd ready, install Certbot using the following command:

sudo snap install certbot --classic

The `–classic` flag allows the Certbot snap to access system resources outside of the typical snap confinement, which is necessary for its proper operation.

Creating Symbolic Links

To ensure that the Certbot command is available system-wide, create a symbolic link:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

This step ensures that when you type `certbot` in your terminal, the system will use the version installed via Snap.

Verifying Installation

Confirm the installation was successful by checking the version:

certbot --version

When to Choose This Method

The Snap installation method is ideal when:

  • You want the most recent version of Certbot
  • You prefer automatic updates directly from the Certbot developers
  • You need features not yet available in the APT package

Snap packages update automatically in the background, ensuring you always have the latest Certbot version with the most recent security patches and features.

Method 3: Installing Certbot Using PIP

For users who need maximum flexibility or specific versions of Certbot, installation via Python’s package manager (PIP) offers another option. This approach is particularly useful in development environments or when you need precise control over the installation.

Setting Up Python Virtual Environment

To avoid conflicts with system packages, it’s best to install Certbot in a virtual environment:

sudo apt install python3-venv -y
python3 -m venv /opt/certbot/

Activate the virtual environment:

source /opt/certbot/bin/activate

Installing Certbot Using PIP

With the virtual environment activated, install Certbot:

pip install certbot

For web server plugins, install the appropriate package:

# For Apache
pip install certbot-apache

# For Nginx
pip install certbot-nginx

Setting Up Symbolic Links

Create a symbolic link to make Certbot accessible system-wide:

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Verification Steps

Verify the installation:

certbot --version

Use Cases for PIP Installation

This installation method is best suited for:

  • Development environments requiring specific Certbot versions
  • Systems with custom Python configurations
  • Servers where Snap or APT installations aren’t feasible
  • Users who need to test beta features or unreleased versions

The PIP method requires more manual maintenance, as updates aren’t automatic unless configured explicitly.

Obtaining SSL Certificates for Apache

If you’re using Apache as your web server, Certbot can automatically configure your virtual hosts to use SSL. This section walks through the process of obtaining and installing certificates with Apache.

Checking Apache Virtual Host Configuration

Before running Certbot, ensure your Apache virtual host configuration properly defines your domain. Check your configuration file (typically located at `/etc/apache2/sites-available/your_domain.conf`):

sudo nano /etc/apache2/sites-available/your_domain.conf

Verify that the `ServerName` and `ServerAlias` directives are correctly set:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html/example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

After confirming or making changes, validate the configuration:

sudo apache2ctl configtest

If the test returns `Syntax OK`, reload Apache to apply any changes:

sudo systemctl reload apache2

Opening Firewall for HTTPS Traffic

Ensure your firewall allows HTTPS traffic (port 443):

sudo ufw status

If HTTPS isn’t allowed, update your firewall:

sudo ufw allow 'Apache Full'
sudo ufw reload

Running Certbot with Apache Plugin

Now you’re ready to obtain certificates. Run Certbot with the Apache plugin:

sudo certbot --apache

You’ll be prompted to:

  1. Enter an email address for renewal notifications
  2. Accept the terms of service
  3. Choose whether to share your email with the Electronic Frontier Foundation
  4. Select domains for which you want to obtain certificates
  5. Choose whether to redirect HTTP traffic to HTTPS

Certificate Files Location and Structure

After successful completion, Certbot stores your certificates in `/etc/letsencrypt/live/your_domain/`, with the following key files:

  • `cert.pem`: Your domain’s certificate
  • `chain.pem`: The Let’s Encrypt chain certificate
  • `fullchain.pem`: The combination of your certificate and the chain
  • `privkey.pem`: Your certificate’s private key

Testing Your SSL Configuration

Test your SSL setup using online tools like SSL Labs or WhyNoPadlock, or via the command line:

curl -I https://your_domain.com

A successful configuration will show HTTP status code 200 and confirm HTTPS is working correctly.

Obtaining SSL Certificates for Nginx

If you’re using Nginx as your web server, the process is similar to Apache but uses the Nginx-specific plugin.

Verifying Nginx Server Block Configuration

First, check your Nginx server block:

sudo nano /etc/nginx/sites-available/your_domain

Ensure your domain is properly configured:

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/html/example.com;
    index index.html index.php;

    location / {
        try_files $uri $uri/ =404;
    }
}

Verify the configuration:

sudo nginx -t

If successful, reload Nginx:

sudo systemctl reload nginx

Configuring Firewall for HTTPS

Ensure your firewall allows HTTPS traffic:

sudo ufw allow 'Nginx Full'
sudo ufw reload

Running Certbot with Nginx Plugin

Obtain certificates using the Nginx plugin:

sudo certbot --nginx

Follow the interactive prompts similar to the Apache process. Certbot will modify your Nginx configuration to use the new certificates and can set up automatic redirects from HTTP to HTTPS if you choose.

Certificate Location and Structure

As with Apache, certificates are stored in `/etc/letsencrypt/live/your_domain/` with the same file structure.

Testing SSL Configuration

Verify your SSL configuration:

curl -I https://your_domain.com

You should receive a successful response indicating HTTPS is properly configured.

Alternative Certificate Issuance Methods

While the automated plugins for Apache and Nginx are convenient, there are situations where alternative authentication methods are preferred or required.

Using Webroot Authentication

The webroot method verifies domain ownership by placing a file in your web server’s document root:

sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

This approach is useful when you want Certbot to obtain certificates without modifying server configurations.

Standalone Mode

Standalone mode temporarily runs a web server for verification:

sudo certbot certonly --standalone -d example.com

This method requires stopping your existing web server during verification, making it ideal for initial setups or servers without Apache/Nginx.

DNS Validation for Wildcard Certificates

For wildcard certificates that work with all subdomains, DNS validation is required:

sudo certbot certonly --manual --preferred-challenges=dns -d example.com -d *.example.com

You’ll need to create specific TXT records in your domain’s DNS configuration to prove ownership.

Manual Mode for Complex Setups

Manual mode gives you complete control over the verification process:

sudo certbot certonly --manual -d example.com

This interactive method provides instructions for manually proving domain control, useful for unusual server configurations.

Choosing the Right Method

Select your verification method based on:

  • Your web server setup (or lack thereof)
  • Whether you need wildcard certificates
  • How much automation you prefer
  • Server accessibility from the internet

Setting Up Automatic Certificate Renewal

Let’s Encrypt certificates are valid for only 90 days, encouraging frequent renewals and automated security practices.

Understanding Let’s Encrypt’s Expiration Policy

The short 90-day validity period serves several purposes:

  • Minimizes impact if a private key is compromised
  • Encourages automation of the renewal process
  • Allows Let’s Encrypt to update security requirements more frequently

Configuring Automatic Renewals

Certbot automatically installs a renewal timer or cron job during installation. To verify this on a systemd-based system like Ubuntu 24.04:

sudo systemctl list-timers | grep certbot

For cron-based setups:

sudo crontab -l | grep certbot

Testing the Renewal Process

Test the renewal configuration with a dry run:

sudo certbot renew --dry-run

A successful test confirms your renewal system is properly configured.

Creating Renewal Hooks

You can create custom actions during certificate renewal by adding scripts to these directories:

  • `/etc/letsencrypt/renewal-hooks/pre/`: Run before renewal
  • `/etc/letsencrypt/renewal-hooks/post/`: Run after successful renewal
  • `/etc/letsencrypt/renewal-hooks/deploy/`: Run after certificates are deployed

For example, to restart Nginx after renewal:

sudo nano /etc/letsencrypt/renewal-hooks/post/nginx-restart.sh

Add this content:

#!/bin/bash
systemctl restart nginx

Make the script executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/nginx-restart.sh

Monitoring Renewal Status

Check certificate expiration dates:

sudo certbot certificates

This command lists all certificates with their domains and expiration dates.

SSL Certificate Management

Managing your SSL certificates effectively involves several administrative tasks beyond initial setup.

Viewing Existing Certificates

List all certificates managed by Certbot:

sudo certbot certificates

Revoking Certificates

If you need to revoke a certificate (due to compromise or decommissioning):

sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

Deleting Certificates

Remove certificates you no longer need:

sudo certbot delete --cert-name example.com

Updating Certificate Domains

To add or remove domains from an existing certificate:

sudo certbot --expand -d example.com,www.example.com,blog.example.com

Changing Key Types

Switch between RSA and ECDSA key types for improved security or performance:

sudo certbot certonly --key-type ecdsa --force-renewal -d example.com

ECDSA keys generally offer similar security with smaller key sizes, improving performance.

Troubleshooting Common Issues

Even with Certbot’s automation, issues can arise during installation or renewal. Here are solutions to frequent problems.

Certificate Validation Failures

If domain validation fails:

  1. Ensure your domain’s DNS points to your server
  2. Check that your server is accessible from the internet
  3. Verify firewall settings allow HTTP/HTTPS traffic
  4. Examine Certbot logs: `sudo cat /var/log/letsencrypt/letsencrypt.log`

Renewal Problems

For renewal failures:

  1. Run with verbose output: `sudo certbot renew –verbose`
  2. Verify your web server configuration hasn’t changed
  3. Check for expired domain names
  4. Ensure renewal scripts have proper permissions

Permission Issues

Common permission problems:

  1. Certbot needs root or sudo access to modify system files
  2. Web server must have read access to certificate files
  3. Hook scripts must be executable
  4. Directory permissions should allow Certbot to create validation files

Common Error Messages and Solutions

  • “Connection refused”: Check firewall settings and server accessibility
  • “No matching virtual host”: Update your web server configuration with correct domain names
  • “Timeout during connect”: Ensure your server is accessible from the internet
  • “Failed authorization procedure”: Verify domain ownership and DNS configuration

Finding Logs and Debugging Information

Detailed logs are available at:

  • `/var/log/letsencrypt/letsencrypt.log`: Main Certbot log
  • Web server logs: `/var/log/apache2/` or `/var/log/nginx/`
  • System journal: `sudo journalctl -u certbot.service`

Congratulations! You have successfully installed Certbot. Thanks for using this tutorial for installing Certbot on the Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Certbot website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button