Install Free SSL Certificate on Apache / Nginx

Switch to root user and use below commands to add letsencrypt cert repository, install the certificate tool and dependencies :

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update

If you have apache webserver then install certbot for apache using below command:

$ sudo apt-get install python-certbot-apache

If you have nginx webserver then install certbot for nginx using below command:

$ sudo apt-get install python-certbot-nginx


You can generate certificate for one or multiple domains through a single command. After running the command certbot client will automatically obtain cert or certs as per list provided in command. The first domain in list is base domain and then you can keep subdomains or aliases.

For Apache:

$ sudo certbot --apache -d -d

For Nginx:

$ sudo certbot --nginx -d -d

The generated certificate files and private key will get stored under /etc/letsencrypt/live. There will be directories created for domains under /etc/letsencrypt/live directory. The changes related to apache, nginx configuration for domains will get automatically added in respective domain configurations under /etc/nginx/sites-available or /etc/apache2/sites-available directory. Running above commands will add up respective rules for ssl as well in the configuration files.

Check on :


Let’s Encrypt certificates are valid only for 90 days. But, the certbot package that is installed takes care of renewing twice a day through systemd timer. On non-systemd distributions you can set the renewal through cron script placed in /etc/cron.d. This task runs twice per day and will renew certificates that are to be expired within 30 days.

To test the certificate renewal process, you can use below command to dry run with certbot:

$ sudo certbot renew --dry-run

If you receive no errors, you’re all done. In the renewal process, Certbot will renew your certificates and reload Apache to keep up the changes. If this process  fails, then Let’s Encrypt will trigger an email to the address you specified, with a message when your certificate is about to expire.

Incase you get some error in cert validation or http01 challenge, please looks into your dns entries for ipv4 and ipv6 records, are they pointing to same server or not. Also if your ipv6 and ipv are responding on port 80 and 443 or not.

Related Links :

How to launch an Amazon EC2 Instance.

How to map domain name to Amazon EC2 instance ( Using Route 53 )

Please follow and like us:


Software Engineer

Leave a Reply

Your email address will not be published. Required fields are marked *