Install LetsEncrypt TLS Certs

This document will cover how to install LetsEncrypt TLS certificates using either apache or nginx webservers on Debian Linux systems, and derivatives like Ubuntu.

Note

Sometimes you need certificates for something else, like running your own mailserver. We still setup a basic webserver for this, in order to easily install and renew certificates.

Important

This quick tutorial is intended for new “vanilla” servers that do not already have a website up and running on them. There is a small addendum below for sites already running a framework / website which can be tried in case the basic commands don’t work.

To start, you will need a server and a domain name with DNS A records pointing to that server.

Installation with Apache

Install the apache webserver:

apt install apache2

Install certbot:

apt install certbot python3-certbot-apache

Install your certificate, use your domain for <EXAMPLE.COM>:

certbot --apache -d <EXAMPLE.COM>

Answer the questions and you should be all set. You should see a new apache configuration file has been created and enabled at /etc/apache2/sites-enabled/000-default-le-ssl.conf,

Installation with nginx

Install the nginx webserver:

apt install nginx

Install certbot:

apt install certbot python3-certbot-nginx

Install your certificate, use your domain for <EXAMPLE.COM>:

certbot --nginx -d <EXAMPLE.COM>

Answer the questions and you should be all set. You should see a new nginx configuration file has been created and enabled at /etc/nginx/sites-enabled/default-le-ssl.conf,

Troubleshooting

Sometimes the “vanilla” instructions will not work when you already have a site / framework running, due to things like .htaccess files getting in the way by rewriting URLs (Wordpress is a notable example of this).

A possible simple workaround is to temporarily move your web root directory out of the way. For example if your webroot is at /var/www/html:

mv /var/www/html /var/www/html_tmp

Then create a new temporary empty one:

mkdir /var/www/html

Try running certbot again, this time with an empty webroot. Hopefully this works and you are good to go. Either way, you’ll want to clean up by removing your temporary webroot, which should be empty:

rmdir /var/www/html

And move html_tmp with your website code, back in place:

mv /var/www/html_tmp /var/www/html