Installing LetsEncrypt Certbot on Debian-based Distributions

LetsEncrypt is one of many Certificate Authorities (CAs) that provide genuine SSL/TSL Certificates to people who want to secure the connection to their website. This guide will show you the steps for installing an SSL/TLS Certificate on a Debian-based Distribution and NGINX.

Installing LetsEncrypt Certbot on Debian-based Distributions
Photo by Kevin Horvat / Unsplash

LetsEncrypt is one of many Certificate Authorities (CAs) that provide genuine SSL/TSL Certificates to people who want to secure the connection to their website. This allows people to access a website via encrypted HTTPS traffic. The process to make a certificate with LetsEncrypt's Certbot is pretty simple overall.

This guide will show you the steps for installing an SSL/TLS Certificate on a Debian-based Distribution – Ubuntu in this case – with an NGINX web server.

Prerequisites

For this guide to be followed correctly, you already need to have a working NGINX web server installed and set up. If you don't have this done, then you can follow our guide on how to install NGINX.


Installation

The first main step is to install the CertBot application to obtain a valid SSL/TSL Certificate for your web server. The following command will install CertBot with its NGINX plugin using the apt package manager.

sudo apt install certbot python3-certbot-nginx

Once the installation is complete, the CertBot application is ready to use. Now we need to configure a few things on NGINX's side to get the CertBot application to work.


Configuration

Certbot will need to find the right path to the correct server block in our NGINX configuration so that it can automatically set up and configure SSL/TLS for us. To accomplish this, Certbot will search for a server_name directive in your config that matches the domain we will request the certificate for.

Please Note: If you followed our guide for server block set up, you should already have a server block for your domain at /etc/nginx/sites-available/example.com with the server_name directive already set accordingly.

To check if you have this setup properly, we will open the configuration file for your domain using nano package or your favorite text editor.

sudo nano /etc/nginx/sites-available/example.com

You will need to find the existing server_name line. It should look something like this or very close to it.

...
server_name example.com www.example.com;
...

If this line is already created with your domain name in it, we are done with this step. If this line is not set up or configured, then you will need to make it in your configuration file inside the correct server block. Then you will save the file, quit the editor, then verify the syntax to make sure the configuration file is correct.

sudo nginx -t

If you get an error, then you will have to reopen the configuration file for your domain. This will allow you to fix any typos or missing characters that could be causing the error.

Finally, we are going to restart NGINX to apply the changes we made to the configuration files.

sudo systemctl reload nginx


Obtaining an SSL Certificate

CertBot provides our SSL Certificates which we want for our website. There is a variety of ways to obtain one through different plugins. The NGINX plugin will take care of most of the hard work of configuring NGINX and reloading the configuration whenever it's needed. To use the plugin, we are going to run the following command.

sudo certbot --nginx -d example.com -d www.example.com

This command runs the certbot application with the --nginx plugin. We also have to have the -d tag to specify the domain for which we want to make the SSL Certificate.

If this is the first time you are using CertBot on your machine, then you will be prompted to enter an email address to receive notifications and agree to the terms of service. Then, it will ask if you want it to automatically setup and create a redirection to https:// version of your website. Here's what the redirection prompt looks like at the time of writing:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):```

Select your choice then hit ENTER. I highly recommend selecting 2 as your option because it completes the step the fastest, easiest way. If you have more experience, then option 1 may be more suited to your needs.

After that, Certbot will finish up anything else it needs to do to generate your certificates. Once Certbot has completed,  a message will appear stating it was successful and where the certificates were stored. The message looks like the following at the time of writing:

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates are now officially downloaded, installed, and loaded. Now you can try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.