How to Install Certbot SSL

Securing your website with HTTPS is no longer optionalits a necessity. Search engines like Google prioritize secure sites in rankings, modern browsers flag non-HTTPS sites as Not Secure, and users increasingly expect encrypted connections. One of the most reliable, free, and automated ways to obtain and manage SSL/TLS certificates is through Certbot. Developed by the Electronic Frontier Foundation (EFF) in partnership with the Internet Security Research Group (ISRG), Certbot automates the process of obtaining and renewing SSL certificates from Lets Encrypt, a trusted certificate authority (CA).

This guide provides a comprehensive, step-by-step tutorial on how to install Certbot SSL on a variety of web server environmentsincluding Apache, Nginx, and standalone setups. Whether youre managing a personal blog, a small business site, or a production application, understanding how to properly install and maintain SSL certificates with Certbot ensures your site remains secure, compliant, and trusted by visitors and search engines alike.

By the end of this guide, youll have the knowledge to deploy SSL certificates confidently, avoid common pitfalls, automate renewals, and verify your setup for optimal performance and security.

Step-by-Step Guide

Prerequisites

Before installing Certbot, ensure your system meets the following requirements:

• A registered domain name pointing to your servers public IP address
• A server running a supported operating system (Ubuntu 20.04+, Debian 10+, CentOS 8+, or similar)
• Root or sudo access to the server
• A running web server (Apache, Nginx, or similar) configured to serve content over HTTP on port 80
• Firewall rules allowing inbound traffic on ports 80 (HTTP) and 443 (HTTPS)

Its critical that your domains DNS A record resolves correctly to your servers IP. If youre using a content delivery network (CDN) or proxy service (e.g., Cloudflare), temporarily disable it during the initial certificate issuance to avoid validation failures. Re-enable it after successful installation.

Step 1: Update Your System

Always begin by ensuring your system packages are up to date. This minimizes compatibility issues and ensures youre working with the latest security patches.

On Ubuntu or Debian:

sudo apt update && sudo apt upgrade -y

On CentOS or RHEL:

sudo yum update -y

Or for newer versions using dnf:

sudo dnf update -y

Step 2: Install Certbot

Certbot is available through multiple package managers and installation methods. The recommended approach is using the official Certbot snap package, which ensures automatic updates and compatibility across distributions.

First, install snapd if its not already present:

On Ubuntu:

sudo apt install snapd -y

On Debian:

sudo apt install snapd -y
sudo snap install core
sudo snap refresh core

On CentOS/RHEL:

sudo yum install snapd -y
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap

Once snapd is installed, install Certbot:

sudo snap install --classic certbot

Alternatively, if you prefer using the system package manager (e.g., for environments where snap is restricted), use:

On Ubuntu/Debian:

sudo apt install certbot -y

On CentOS/RHEL:

sudo dnf install certbot -y

Note: The snap version is preferred because it auto-updates and includes the latest plugins and ACME protocol support.

Step 3: Obtain Your SSL Certificate

Certbot supports multiple plugins to automate certificate issuance based on your web server setup. The two most common methods are:

• Apache Plugin Automatically configures Apache
• Nginx Plugin Automatically configures Nginx
• Webroot Plugin Works with any server by placing validation files in your web root
• Standalone Plugin Temporarily runs its own web server to validate domain ownership

Option A: Install Certbot for Apache

If youre running Apache, install the Certbot Apache plugin:

sudo snap install --classic certbot
sudo snap install --classic certbot-apache

Then run Certbot with the Apache plugin:

sudo certbot --apache

Certbot will scan your Apache configuration, list available domains, and prompt you to select which domains you want to secure. It will then automatically:

• Request a certificate from Lets Encrypt
• Modify your Apache virtual host files to enable SSL
• Configure redirect from HTTP to HTTPS
• Restart Apache to apply changes

After successful issuance, youll see a message confirming your certificate location and expiration date.

Option B: Install Certbot for Nginx

For Nginx users, install the Nginx plugin:

sudo snap install --classic certbot
sudo snap install --classic certbot-nginx

Run the command:

sudo certbot --nginx

Certbot will detect your Nginx server blocks, list domains, and guide you through the same process as with Apache. It will:

• Modify your Nginx configuration to include SSL directives
• Set up HTTP to HTTPS redirects
• Reload Nginx to apply the new configuration

Ensure your Nginx configuration includes a valid server_name directive for each domain you wish to secure. Certbot cannot issue certificates for domains not listed in your server blocks.

Option C: Use the Webroot Plugin (For Any Server)

If youre using a server not supported by Certbot plugins (e.g., Caddy, LiteSpeed, or custom setups), or if you want more control over the process, use the webroot plugin. This method places challenge files in your web root directory for Lets Encrypt to validate domain ownership.

First, ensure your web server is configured to serve files from .well-known/acme-challenge/ under your document root. Most servers do this by default, but if not, add this location block:

For Nginx:

location ^~ /.well-known/acme-challenge/ {
root /var/www/html;
default_type "text/plain";
try_files $uri =404;
}

For Apache:

<Directory "/var/www/html/.well-known/acme-challenge">
AllowOverride None
Require all granted
</Directory>

Then run:

sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

Replace /var/www/html with your actual web root path and example.com with your domain(s). You can include multiple domains using additional -d flags.

Option D: Use the Standalone Plugin (No Web Server Running)

If you dont have a web server running or want to issue a certificate without modifying server configs, use the standalone plugin. This temporarily binds to port 80 to complete the HTTP-01 challenge.

Stop your web server first:

sudo systemctl stop apache2  
or nginx

Then run:

sudo certbot certonly --standalone -d example.com -d www.example.com

After successful issuance, restart your web server:

sudo systemctl start apache2

Step 4: Verify Certificate Installation

Once the certificate is issued, verify its working correctly.

Check the certificate files location:

sudo ls -l /etc/letsencrypt/live/example.com/

You should see:

• cert.pem Your domains certificate
• privkey.pem Your private key
• chain.pem Intermediate certificate chain
• fullchain.pem Certificate + chain (used by most servers)

Test your SSL configuration using online tools:

• SSL Labs SSL Test
• Why No Padlock?
• GeoTrust SSL Checker

These tools will confirm whether your certificate is valid, properly chained, and if your server supports modern protocols (TLS 1.2+, strong ciphers) and secure headers.

Step 5: Configure Automatic Renewal

Lets Encrypt certificates expire after 90 days. Certbot automates renewal, but you must ensure the renewal service is active.

To test the renewal process manually:

sudo certbot renew --dry-run

If this command runs without errors, your setup is correctly configured.

Certbot installs a systemd timer (on modern Linux systems) or a cron job to check for renewal twice daily. To verify the timer is active:

sudo systemctl list-timers | grep certbot

You should see an entry like:

Wed 2024-06-12 02:15:00 UTC  10h left   Tue 2024-06-11 02:15:00 UTC  1 day 10h ago  certbot.timer    certbot.service

If the timer isnt installed, create a cron job:

sudo crontab -e

Add this line to run renewal twice daily:

0 12,0 * * * /usr/bin/certbot renew --quiet

Save and exit. The --quiet flag suppresses output unless an error occurs.

Step 6: Force HTTPS Redirects

Issuing a certificate doesnt automatically redirect HTTP traffic to HTTPS. You must configure your server to enforce SSL.

For Apache: Certbot usually adds a redirect automatically. If not, add this to your virtual host:

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>

For Nginx: Certbot typically adds a server block redirect. If missing, add:

server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}

Always test your configuration before reloading:

Apache:

sudo apache2ctl configtest

Nginx:

sudo nginx -t

Then reload:

sudo systemctl reload apache2

or

sudo systemctl reload nginx

Best Practices

Use Strong SSL/TLS Configuration

After installing your certificate, harden your SSL/TLS configuration to meet current security standards. Avoid outdated protocols like SSLv3 and TLS 1.0/1.1. Use modern ciphers and enable features like HSTS (HTTP Strict Transport Security).

For Nginx, use this recommended configuration:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=63072000" always;

For Apache:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionCache shared:SSL:10m
SSLSessionTimeout 10m
Header always set Strict-Transport-Security "max-age=63072000"

Use the Mozilla SSL Configuration Generator to generate tailored configs for your server version.

Monitor Certificate Expiration

Even with automated renewal, set up external monitoring to receive alerts before expiration. Tools like UptimeRobot, Pingdom, or custom scripts can check your certificates validity and notify you via email or webhook if its within 15 days of expiry.

Use Multi-Domain (SAN) Certificates

Certbot supports issuing certificates for multiple domains and subdomains in a single certificate using the Subject Alternative Name (SAN) feature. This reduces complexity and management overhead.

sudo certbot --nginx -d example.com -d www.example.com -d blog.example.com -d shop.example.com

Limit your certificate to domains you control. Avoid adding unrelated domains to prevent security risks and certificate revocation issues.

Backup Your Certificates

Back up your entire /etc/letsencrypt directory regularly. This includes private keys, certificates, and renewal configurations. Store backups securely, preferably encrypted and offsite.

sudo tar -czf letsencrypt-backup.tar.gz /etc/letsencrypt

Store this backup in a secure location such as a private cloud storage bucket or encrypted external drive.

Avoid Certificate Overuse

Lets Encrypt imposes rate limits: 5 certificates per domain per week, and 300 new registrations per account per 3 hours. Avoid repeatedly testing with the same domains. Use the staging environment for testing:

sudo certbot certonly --standalone -d example.com --dry-run

Or for staging:

sudo certbot certonly --standalone -d example.com --staging

The staging environment uses a test CA and issues non-trusted certificates, but its perfect for validating your setup without hitting rate limits.

Disable Weak Protocols and Ciphers

Use tools like SSL Labs to audit your servers SSL configuration. Disable weak ciphers (e.g., RC4, DES, 3DES) and ensure forward secrecy is enabled using ECDHE or DHE key exchange. Always keep your server software updated to patch known vulnerabilities.

Use DNS Validation for Complex Setups

If your server is behind a firewall, proxy, or CDN that blocks port 80, use DNS-01 challenge validation instead of HTTP-01. This requires adding a DNS TXT record to prove domain ownership.

Certbot supports DNS plugins for providers like Cloudflare, Route 53, and GoDaddy. Install the appropriate plugin:

sudo snap install certbot-dns-cloudflare

Then authenticate using API credentials and issue the certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d example.com

This method is ideal for servers without public HTTP access or for wildcard certificates (*.example.com).

Tools and Resources

Essential Tools

• Certbot Official client for Lets Encrypt. Available at certbot.eff.org
• SSL Labs SSL Test Free, in-depth analysis of your SSL/TLS configuration. sslabs.com
• Why No Padlock? Identifies mixed content and insecure resources on HTTPS pages. whynopadlock.com
• Mozilla SSL Config Generator Generates secure server configs for Apache, Nginx, and more. mozilla.github.io
• Lets Encrypt Documentation Official guides, rate limits, and API details. letsencrypt.org/docs
• ACME Protocol Specification Technical documentation for certificate automation. rfc8555

Command-Line Utilities

Use these tools to verify and troubleshoot your SSL setup:

• openssl s_client -connect example.com:443 -servername example.com Inspect certificate details
• curl -I https://example.com Check HTTP headers, including HSTS
• ssllabs-scan example.com Command-line version of SSL Labs (requires installation)
• certbot certificates List all installed certificates and their expiration dates

Automation and Monitoring

For enterprise environments, consider integrating Certbot with configuration management tools:

• Ansible Automate Certbot deployment across multiple servers
• Puppet Enforce SSL certificate state across infrastructure
• Terraform Provision certificates as part of cloud infrastructure
• Prometheus + Alertmanager Monitor certificate expiration with custom exporters

Example Ansible task to install Certbot on Ubuntu:

- name: Install snapd
apt:
name: snapd
state: present
- name: Install Certbot
snap:
name: certbot
classic: yes
- name: Obtain SSL certificate
command: certbot --nginx -d {{ domain }} --noninteractive --agree-tos -m {{ email }}
args:
chdir: /root
register: cert_result
- name: Restart nginx
systemd:
name: nginx
state: restarted
when: cert_result.changed

Real Examples

Example 1: WordPress Site on Ubuntu with Nginx

A small business runs a WordPress site on Ubuntu 22.04 with Nginx. They want to enable HTTPS to improve SEO and secure login forms.

Steps taken:

1. Confirmed DNS A record points to server IP
2. Installed Nginx and configured server block for example.com and www.example.com
3. Installed Certbot and the Nginx plugin
4. Executed sudo certbot --nginx and selected both domains
5. Verified redirect to HTTPS was added
6. Tested site with SSL Labs received A+ rating
7. Configured WordPress to use HTTPS in Settings > General
8. Used a plugin to fix mixed content issues

Result: Site now loads securely, Google Search Console reports no security issues, and bounce rate decreased by 18% due to improved user trust.

Example 2: API Server Behind Cloudflare

A developer hosts a REST API on a private server with no public HTTP access. Cloudflare is used for DNS and caching, blocking direct HTTP access.

Steps taken:

1. Temporarily set Cloudflare DNS proxy to DNS only (grey cloud)
2. Used Certbots DNS-01 plugin with Cloudflare API token
3. Generated a wildcard certificate for *.api.example.com
4. Updated Nginx to use fullchain.pem and privkey.pem
5. Re-enabled Cloudflare proxy
6. Configured API clients to trust Lets Encrypt root CA (most modern clients do by default)

Result: API endpoints now serve valid TLS certificates, enabling secure communication with mobile apps and third-party services.

Example 3: Multi-Domain E-Commerce Platform

An e-commerce platform hosts multiple subdomains: example.com, shop.example.com, blog.example.com, and api.example.com.

Steps taken:

1. Issued a single certificate covering all domains: certbot --nginx -d example.com -d shop.example.com -d blog.example.com -d api.example.com
2. Configured Nginx to use the same certificate across all virtual hosts
3. Set up automated renewal via systemd timer
4. Added HSTS header with includeSubDomains directive
5. Monitored expiration using a custom script that emails the ops team 30 days in advance

Result: Simplified certificate management, reduced risk of misconfiguration, and improved performance by avoiding multiple certificate handshakes.

FAQs

Is Certbot free to use?

Yes. Certbot is open-source and free. It obtains certificates from Lets Encrypt, which also offers free SSL/TLS certificates. There are no fees for issuance or renewal.

Can I use Certbot on Windows?

Certbot is primarily designed for Linux and Unix-like systems. While unofficial ports exist, they are not recommended for production. For Windows, consider using Win-ACME (WACS), a popular .NET-based ACME client.

What happens if my certificate expires?

If your certificate expires, browsers will display a security warning to visitors, and your site may be flagged as insecure. Search engines may lower your ranking. Automatic renewal prevents this, but if it fails, you must manually renew using sudo certbot renew.

Can I use Certbot with shared hosting?

Most shared hosting providers do not allow shell access or root privileges, making Certbot installation impossible. However, many providers (e.g., SiteGround, Bluehost, A2 Hosting) now offer free Lets Encrypt certificates via their control panels. Use their built-in tools instead.

Do I need to restart my server after renewal?

Usually not. Certbots Apache and Nginx plugins automatically reload the server. If youre using the webroot or standalone method, you must manually reload your server after renewal: sudo systemctl reload nginx or sudo systemctl reload apache2.

How often does Certbot renew certificates?

Certbot checks for renewal twice daily. It will only renew certificates if they are within 30 days of expiration. This prevents unnecessary renewals and avoids hitting Lets Encrypt rate limits.

Can I get a wildcard certificate with Certbot?

Yes. Use the DNS-01 challenge with a supported DNS plugin. For example: sudo certbot certonly --dns-cloudflare -d *.example.com. Wildcard certificates secure all subdomains under a single certificate.

Why is my site still showing as Not Secure after installing Certbot?

This usually occurs due to:

• Mixed content (HTTP resources loaded on HTTPS pages)
• Missing or misconfigured HTTP to HTTPS redirect
• Incorrect domain in the certificate (e.g., cert issued for www.example.com but user visits example.com)
• Browser cache holding old insecure state

Use browser developer tools (Network tab) to identify insecure resources and fix them. Clear your browser cache or test in an incognito window.

Is Lets Encrypt trusted by browsers?

Yes. Lets Encrypt is a trusted root certificate authority. Its certificates are recognized by all major browsers (Chrome, Firefox, Safari, Edge) and operating systems.

Can I use Certbot for internal or private domains?

No. Lets Encrypt only issues certificates for publicly resolvable domain names. Private domains (e.g., internal.local, 192.168.1.10) cannot be validated. For internal use, consider setting up your own private CA or using a commercial CA that supports internal names.

Conclusion

Installing Certbot SSL is one of the most impactful security and performance improvements you can make to your website. By automating certificate issuance and renewal, Certbot eliminates the complexity and cost traditionally associated with SSL/TLS deployment. Whether youre running a simple blog or a complex enterprise application, the steps outlined in this guide provide a reliable, secure, and scalable foundation for HTTPS.

Remember: SSL isnt a one-time setup. It requires ongoing maintenance. Regularly test your configuration, monitor expiration dates, and keep your server software updated. By following best practicesusing strong ciphers, enforcing HTTPS redirects, and backing up your certificatesyou ensure your site remains secure, trusted, and compliant with modern web standards.

With Certbot and Lets Encrypt, high-quality encryption is no longer a luxuryits accessible to everyone. Take the next step today: install Certbot, secure your domain, and give your users the safe, seamless experience they expect.