Skip to content
Internet

How to Use Certbot with Apache and Nginx on Ubuntu and Debian

How to Use Certbot with Apache and Nginx on Ubuntu

Certbot is a free, automated tool for obtaining Let’s Encrypt SSL/TLS certificates. This guide covers installation and usage with both Apache and Nginx on Ubuntu.

Prerequisites

  • Ubuntu 20.04+
  • Root or sudo access
  • A registered domain name pointing to your server
  • Port 80 (HTTP) and 443 (HTTPS) open
  • Apache or Nginx installed and running
Note: Your domain must point to this server’s IP for Let’s Encrypt to validate ownership.

Install Certbot

Step 1: Install Snapd

sudo apt update && sudo apt install snapd -y

Step 2: Install Certbot via Snap (Recommended)

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Alternative: Install via APT

sudo apt install -y certbot python3-certbot-apache python3-certbot-nginx
Tip: Snap version is always up-to-date. APT version may be older.

Certbot with Apache

Step 1: Obtain and Install Certificate

sudo certbot --apache

Follow the interactive prompts:

  • Enter your email for renewal notices
  • Agree to Terms of Service
  • Select the domain(s) to enable HTTPS for
  • Choose HTTP-to-HTTPS redirect (recommended)

Step 2: Get Certificate for Specific Domain

sudo certbot --apache -d example.com -d www.example.com

Step 3: Non-Interactive (Automated)

sudo certbot --apache --non-interactive --agree-tos -m admin@example.com -d example.com

Apache SSL Config Location

/etc/apache2/sites-available/example.com-le-ssl.conf

Certbot with Nginx

Step 1: Obtain and Install Certificate

sudo certbot --nginx

Interactive prompts:

  • Enter email for renewal notices
  • Agree to ToS
  • Select domain(s)
  • Choose HTTP-to-HTTPS redirect

Step 2: Get Certificate for Specific Domain

sudo certbot --nginx -d example.com -d www.example.com

Step 3: Non-Interactive

sudo certbot --nginx --non-interactive --agree-tos -m admin@example.com -d example.com

Nginx SSL Config Location

/etc/nginx/sites-available/example.com
# Certbot adds SSL block automatically

Auto-Renewal

Let’s Encrypt certificates expire after 90 days. Certbot sets up auto-renewal automatically.

Test Renewal

sudo certbot renew --dry-run

Check Timer

sudo systemctl list-timers | grep certbot
sudo systemctl status certbot.timer

Manual Renewal

sudo certbot renew

Renew all expiring certificates (typically within 30 days of expiry).

Useful Certbot Commands

List Certificates

sudo certbot certificates

Show Certificate Details

sudo certbot certificates --cert-name example.com

Revoke Certificate

sudo certbot revoke --cert-name example.com

Delete Certificate

sudo certbot delete --cert-name example.com

Force Renewal

sudo certbot renew --force-renewal

Check Expiry

openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem

Certificate Files Location

/etc/letsencrypt/live/example.com/
  ├── cert.pem     # Server certificate
  ├── chain.pem    # Intermediate CA
  ├── fullchain.pem # cert.pem + chain.pem (most common)
  ├── privkey.pem  # Private key (keep secret!)
  └── README

HTTP-01 Challenge (Standalone)

Use this if the web server is temporarily stopped or not on port 80:

sudo certbot certonly --standalone -d example.com
Note: Stop your web server first: sudo systemctl stop nginx

DNS-01 Challenge (Wildcard)

For wildcard certificates (e.g., *.example.com):

sudo certbot certonly --manual --preferred-challenges dns -d *.example.com -d example.com

Certbot will ask you to add a TXT record to your DNS zone.

Webroot Challenge

When you can’t stop the web server:

sudo certbot certonly --webroot -w /var/www/html -d example.com

Troubleshooting

Certbot Command Not Found

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Domain Validation Fails

Error: “Unable to find a virtual host” or “Domain not found”
  • Ensure DNS records point to this server
  • Port 80 must be reachable from the internet
  • Check firewall: sudo ufw status

Rate Limit Exceeded

# Max 50 certificates/week per domain
sudo certbot certificates  # Check existing certs
sudo certbot delete --cert-name unused-domain

Apache Module Not Enabled

sudo a2enmod ssl
sudo a2enmod rewrite
sudo systemctl restart apache2

Nginx Server Block Missing

sudo nano /etc/nginx/sites-available/example.com
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Certificate Not Renewing

sudo systemctl status certbot.timer
sudo journalctl -u certbot.timer -f
sudo certbot renew --dry-run  # Test renewal

Remove Certbot

sudo snap remove certbot
# or
sudo apt remove --purge certbot python3-certbot-apache python3-certbot-nginx -y

Conclusion

Certbot automates SSL/TLS certificate management:

  • Apache: sudo certbot --apache
  • Nginx: sudo certbot --nginx
  • Renewal: Automatic via systemd timer
  • Certificates: Valid for 90 days
Pro Tip: Always test renewal with sudo certbot renew --dry-run after initial setup.