How to get free SSL/TLS certificates with Let’s Encrypt and Certbot

Let’s Encrypt is a Certificate Authority which is able to create and release free SSL/TLS certificates we can use to enable encryption and secure our websites. All the biggest hosting providers allow their customers to request Let’s Encrypt certificates in a user-friendly way, via administration panels like Cpanel or Plesk. If we have SSH access to a remote host, however, we can obtain a Let’s Encrypt certificate from the command line, by using Certbot. In this article, we learn how to install Certbot on the most used Linux distributions, and how to use it to obtain and manage valid Let’s Encrypt certificates.

In this tutorial you will learn:

  • What is Let’s Encrypt and how it works
  • How to install Certbot on the most used Linux distributions
  • How to use Certbot to obtain and manage valid SSL/TLS certificates
  • How to use Certbot to manage ACME accounts
How to get free SSL/TLS certificates from cli with Let's Encrypt and Certbot
How to get free SSL/TLS certificates from cli with Let’s Encrypt and Certbot
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Distribution-agnostic
Software Certbot
Other Root privileges to install software
Conventions # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux-commands to be executed as a regular non-privileged user

Introduction

To be able to emit a valid SSL/TLS certificate, Let’s Encrypt, as a Certificate Authority (CA), needs to verify we are in control of the domain we want to receive the certificate for. In order to proceed with the domain validation, we need to install a client which is able to talk with Let’s Encrypt during the validation process; the client we will install and use is Certbot.



Before we proceed and see how to install and use Certbot, it may be worth investing some time trying to understand how the domain validation process works. To validate a domain, Let’s Encrypt performs the so-called “challenges”. The most frequently used challenges are HTTP-01 and DNS-01.

The HTTP-01 challenge, is the one we will see in action in this tutorial. When this challenge is performed, Let’s Encrypt creates a token and passes it to a client; the client then proceeds to create a file on our website, under a specific path: http://<OUR-DOMAIN>/.well-known/acme-challenge/<TOKEN>. Let’s Encrypt verifies the file exists and is valid; If the validation is successful, it issues the certificate. For this challenge to work, our website must be remotely accessible on port 80.

During a DNS-01 challenge, instead, Let’s Encrypt tries to verify we are in control of DNS entries. Once again, the process starts by the CA issuing a token to the client, which uses it as the content of a TXT record it specifically creates and puts at _acme-challenge.<OUR_DOMAIN>. Let’s Encrypt tries to query the DNS for that record; if it finds a match, it issues the certificate.

As we said before, in this case we will stick to the HTTP-01 challenge. Now, let’s see how to install and use Certbot.

Installing Certbot

Certbot is a free and open source ACME (Automatic Certificate Management Environment) client created by the Electronic Frontier Foundation; we can use it to talk to Let’s Encrypt to obtain a valid SSL/TLS certificate and secure our website. Certbot is written in Python (source code is available on GitHub), and it is included in the official repositories of many Linux distributions. To install it on Debian and Debian-based systems, we can run:

$ sudo apt install certbot

To perform the installation on Fedora, instead, we use dnf:

$ sudo dnf install certbot

Unfortunately Certbot is not officially available on Red Hat Enterprise Linux and its clones (e.g  Rocky Linux). On those systems, however, we can install it (with the same command we used on Fedora), once we add the EPEL repository as a software source.

As an alternative, we can install Certbot directly with pip, the Python package manager. We should avoid running pip as root, therefore we should install the package as an unprivileged user:

$ pip install certbot

Obtaining a valid Let’s Encrypt certificate

The most basic way we can use Certbot, is by invoking it with the certonly subcommand. When this subcommand is used, Certbot just tries to obtain a certificate, without creating any webserver-specific configuration:

$ sudo certbot certonly



Once we run the command, Certbot asks us how we want to authenticate with the Certificate Authority. We can choose to spin-up a temporary web server, or place files created during the authentication process in an existing webroot directory. What we want to use depends on whether we have a web server already up and running. If it is not the case, we want to go for the former option, otherwise for the latter. In this case, for the sake of simplicity, we use option 1:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

After we select the authentication method, Certbot will ask us to provide the email address where we want to receive renewal and security notices. Just for the sake of this article, I will use a dummy one:

Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): mymail@provider.com

Before we can procede further, we need to read and accept Let’s Encrypt Terms of Services:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

We can decide if we want to allow the Electronic Frontier Foundation to send us emails about news, future initiatives and campaigns:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

As a last step, we need to enter the domain we want to obtain a certificate for:

Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): mydomain.com

Certbot will let us know if it was able to obtain a certificate:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mydomain.com/privkey.pem
This certificate expires on 2024-06-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

The output includes information about the path where the certificate was saved and its expiry date. Existing certificates are automatically renewed by a task scheduled with a systemd.timer (/usr/lib/sytemd/system/certbot.timer) which runs twice a day. Please notice that it is possibile to perform a limited number of requests to Let’s Encrypt during a specific interval of time, therefore, if you feel like you want to experiment with Certbot, you should use the --dry-run option when possible.

Once we know the location of the certificate and the private key, we can modify our web server configuration accordingly. If we don’t want to perform the configuration manually, however, we can instruct Certbot to do it for us. Let’s see how.

Creating a web server configuration automatically

In order to use the certificate we just obtained from Let’s Encrypt, our web server needs to know its location. We can modify the server configuration with the required directives manually, or, if we need to automate the process, we can let Certbot do it for us. Certbot is able to automatically create configurations for Apache and Nginx, thanks to dedicated plugins. To install them on Debian, and Debian-based systems, we run:

$ sudo apt install python3-certbot-apache python3-certbot-nginx

On Fedora-based systems, instead:

$ sudo dnf install python3-certbot-apache python3-certbot-nginx

Once the packages are installed, to let Certbot configure our web server, we can use the --apache or --nginx options. To retrieve a certificate and automatically create an Apache configuration, for, example, we would run:

$ sudo certbot --apache

The Apache configuration, on Debian systems, is stored as /etc/apache2/sites-available/000-default-le-ssl.conf. Among the others, it contains the following directives:

ServerName mydomain.com
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Running Certbot non-interactively

In the previous examples, we ran Certbot interactively. Sometimes, however, user interaction is not possible, therefore we must run Certbot unattended, providing requested information via the appropriate flags. In the example below, we try to retrieve a certificate for the “mydomain.com” domain, spawning an ad-hoc web server for authentication:

$ sudo certbot certonly \
 --non-interactive \
 --standalone \
 --email mymail@provider.com \
 --agree-tos \
 --no-eff-email \
 --domains mydomain.com

The first option we used is --non-interactive: it instructs Certbot to run without ever asking for the user input, which is exactly what we want to achieve. With the --standalone option we specified we want to launch a web server and use it for authentication.



We provided the email address we want to use as argument to the --email option, and we used --agree-tos to agree to Let’s Encrypt terms and conditions. Furthermore, we specified we don’t want to share our address with the EFF via the --no-eff-mail option. Finally, we passed the domain we want to retrieve the certificate for, as argument to --domains.

What if we want to make Certbot additionally create an Apache configuration? All we need to do is to add the --installer option and pass the name of the plugin which should be used, as argument:

$ sudo certbot \
--non-interactive \
--standalone \
--email mymail@provider.com \
--agree-tos \
--no-eff-email \
--domains mydomain.com \
--installer apache

Managing certificates

To display information about the certificates we obtained with certbot, we can use the certificates command:

$ sudo certbot certificates

If a certificate has almost reached its expiry date, and we want to renew it immediately, without relying on the scheduled task, we can use the renew command. All the certificates we previously obtained with Certbot will be renewed:

$ sudo certbot renew

To revoke a certificate,  instead, we can use the revoke command. A certificate can be referenced by name or by path, with the --cert-name and --cert-path options, respectively. In the example below we revoke the certificate named “mydomain.com”:

$ sudo certbot revoke --cert-name mydomain.com

Finally, to delete a certificate we use the delete command:

$ sudo certbot delete --cert-name mydomain.com

Manging the ACME account

We can use Certbot to manage our ACME account. To display information about an account, we use the show_account command:

$ sudo certbot show_account

The command returns information like the account URL and associated email:

Account details for server https://acme-v02.api.letsencrypt.org/directory:
  Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/0000000000
  Email contact: mymail@provider.com

To unregister an account, we can use the unregister command:

$ sudo certbot unregister

We will be prompted to confirm we want to deactivate our account:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Are you sure you would like to irrevocably deactivate your account?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(D)eactivate/(A)bort:



Finally, to register a new account, we use the register command, and provide required information, either interactively or via dedicated options, e.g:

$ sudo certbot register --email mymail@provider.com --agree-tos --no-eff-email

Registering an account explicitly is usually not needed, since it is created on the fly the first time we use Certbot, as we saw in previous examples.

Closing thoughts

Ensuring communications with our website are safe and encrypted is essential. Let’s Encrypt is an open Certificate Authority which is able to release free SSL/TLS certificates for free, once it verifies we are in control of a domain. To be able to talk to Let’s Encrypt during a challenge, we must use an ACME client like Certbot. In this tutorial, we saw how to install Certbot and how to use it to obtain and manage valid certificates.



Comments and Discussions
Linux Forum