This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 14.04 server running Apache as a web server. We will also cover how to automate the certificate renewal process using a cron job.
SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
In order to complete this guide, you will need:
- An Ubuntu 14.04 server
- The Apache web server installed
When you are ready to move on, log into your server using your sudo-enabled account.
Step 1 — Download the Let’s Encrypt Client
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the
certbot software on your server. The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it’s worth using this repository to install a newer Certbot than provided by Ubuntu.
First, add the repository:
sudo add-apt-repository ppa:certbot/certbot
You’ll need to press
ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:
sudo apt-get update
And finally, install Certbot from the new repository with
sudo apt-get install python-certbot-apache
certbot Let’s Encrypt client is now ready to use.
Step 2 — Set Up the SSL Certificate
Generating the SSL Certificate for Apache using the
certbot Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the
certbot command with:
sudo certbot --apache -d example.com
Please DON’T USE example.com, you MUST use the real name of the domain you are setting the certificate for 🙂
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:
sudo certbot --apache -d example.com -d www.example.com
For this example, the base domain will be
You will be prompted to provide an email address for lost key recovery and notices, and you will be need to agree to the Let’s Encrypt terms of service. You’ll then be asked to choose between enabling both
https access or force all requests to redirect to
When the installation is finished, you should be able to find the generated certificate files at
/etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):
You should now be able to access your website using a
Step 3 — Set Up Auto Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We’ll need to set up a regularly run command to check for expiring certificates and renew them automatically.
To run the renewal check daily, we will use
cron, a standard system service for running periodic jobs. We tell
cron what to do by opening and editing a file called a
sudo crontab -e
Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following line at the end of the file, then save and close it:
. . .
15 3 * * * /usr/bin/certbot renew --quiet
15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.
renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days.
--quiet tells Certbot not to output information nor wait for user input.
cron will now run this command daily. Because we installed our certificates using the
--apache plugin, Apache will also be reloaded to ensure the new certificates are used.