Install & Configure Certbot on Ubuntu 16.04 LTS & Debian 9

Written by
Kyler
on September 6, 2017

If you want to enable https on your site, you’ll need an SSL certificate from a certificate authority (CA). Remember the old days, when you had to pay an arm and a leg to get an SSL certificate for your site? Those days are over!

Let’s Encrypt (https://letsencrypt.org) is an open source CA that you can use to install SSL certificates for your websites (It’s a beautiful thing). This guide shows you how to install and configure Certbot with both Debian 9 and Ubuntu 16.04 LTS and nginx. Btw, you’ll need shell (SSH) access. If you use a cPanel to control your web sites, your host will have to provide this setup for you.

Debian 9

At this time, the Debian 9 client must be installed from the Stretch backports. Edit your /etc/apt/sources.list file and add the following:

deb http://ftp.debian.org/debian stretch-backports main

Install the Certbot Client

From a server command line, type in the following command:

$ sudo apt-get update

Once you’ve downloaded the latest updates, type the following to install the Certbot client:

$ sudo apt-get install python-certbot-nginx -t stretch-backports

Ubuntu 16.04 LTS

When installing and configuring Certbot on Ubuntu, there is a nginx client that automates some of the process, which is really nice!

Add the Certbot Nginx Client

Enter the following at your command line. You’ll notice the second command adds a specific certbot PPA to your repository list:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

Obtain the Certificates (Debian & Ubuntu)

Enter the following command:

$ sudo certbot –nginx (use two dashes)

You’ll see all of the websites listed with numbers. BE CAREFUL here. Do not hit enter and pull certs for all the sites. Enter in the site numbers separated by commas:

127: www.test.com
128: outergain.com
129: www.outergain.com

——————————————————————————-
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 128,129

4) It will prompt about forcing secure – do this:

Please choose whether HTTPS access is required or optional.
——————————————————————————-
1: Easy – Allow both HTTP and HTTPS access to these sites
2: Secure – Make all requests redirect to secure HTTPS access
——————————————————————————-
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Your site should be ready! The nginx client plugin will automatically add the required information to your nginx server block. If for any reason this doesn’t happen, see the Debian 9 steps above for the required information.

*Note: As of January 2018 the Cerbot nginx client has an issue on certain platforms. They are fixing, but for now you’ll need to use the following command:

certbot –authenticator webroot –installer nginx (double dashes)

Renewing Certificates

Let’s Encrypt certificates are good for 90 days. To renew any certificates about to expire, the command is:

certbot renew

However, you’ll need to renew them via a cron job. The command to run from cron is:

/usr/bin/certbot -auto renew –quiet

Make sure /usr/bin/certbot is the correct path. You can test this by trying the line straight from the server command line. Now, to add this to your cron jobs, type in:

crontab -e

Add the following line to your configuration:

0 1 * * * root /usr/bin/certbot -auto renew –quiet

The above will check for renewals every day (once a day is recommended). If you’d like assistance on understanding the cron format, visit this site: https://crontab.guru

And that’s it! Now you can add SSL capabilities to your sites, and let cron handle the certificate renewals. Congrats on installing and configuring Certbot on your Ubuntu 16.04 LTS or Debian 9 server!

3 thoughts on “Install & Configure Certbot on Ubuntu 16.04 LTS & Debian 9

  1. Under apache + debian strech

    python-certbot-apache : Depends: certbot (>= 0.19.0~) but it is not going to be installed
    Depends: python-acme but it is not going to be installed
    Depends: python-certbot but it is not going to be installed
    E: Unable to correct problems, you have held broken packages.

Leave a Reply

Your email address will not be published. Required fields are marked *