Configure Let’s Encrypt on Linux – Easy SSL Setup

Himanshu Joshi Knowledgebase

Configure Let’s Encrypt on Linux to secure your websites with free SSL/TLS certificates from a trusted Certificate Authority. Let’s Encrypt makes it easy to enable HTTPS, enhancing your site’s security, privacy, and credibility—all at no cost and with automated renewal options.

Let's Encrypt SSL on a Linux

This guide will walk you through the process of installing and configuring Let’s Encrypt SSL certificates on your Linux-based server.

Prerequisites

Before configuring Let’s Encrypt on Linux, ensure that you have the following:

  • Linux Distribution: Let’s Encrypt can be configured on most Linux distributions like Ubuntu, CentOS, Debian, and others.
  • Root Access: You need root or sudo access to install and configure Let’s Encrypt.
  • Web Server: A web server, like Apache, Nginx, or any other server that can handle SSL certificates, is required.
  • Domain Name: You must have a registered domain name pointing to your server’s public IP address.
  • Firewall: Ensure that ports 80 (HTTP) and 443 (HTTPS) are open on your firewall for Let’s Encrypt to perform domain validation.

These prerequisites ensure that Let’s Encrypt will be configured correctly and securely.

Configure Let’s Encrypt on Linux

Configuring Let’s Encrypt on Linux allows you to secure your website with a free SSL/TLS certificate. This not only encrypts data between your server and visitors but also boosts trust and SEO. Follow these steps to set up and auto-renew certificates using Certbot or other tools.

Install Certbot (Let’s Encrypt Client)

Certbot is the recommended client for Let’s Encrypt that automates the process of obtaining and installing SSL certificates. The first step in the process is installing Certbot.

  • For Ubuntu/Debian

Update your package list and install Certbot:

sudo apt updatesudo apt install certbot
  • For CentOS/RHEL

For CentOS 7 and later, enable the EPEL repository and install Certbot:

sudo yum install epel-releasesudo yum install certbot
  • For CentOS 8, use the DNF package manager:
sudo dnf install certbot

For Nginx or Apache

To use Certbot with Nginx or Apache, you may need to install the specific plugin for your web server:

  • For Apache:
sudo apt install python3-certbot-apache # Ubuntu/Debian 
sudo yum install certbot-apache # CentOS/RHEL
  • For Nginx:
sudo apt install python3-certbot-nginx # Ubuntu/Debian sudo yum install certbot-nginx # CentOS/RHEL

Obtain and Install the SSL Certificate

Once Certbot is installed, you can use it to obtain and install your SSL certificate from Let’s Encrypt.

  • For Apache

If you’re using Apache, Certbot can automatically configure SSL for you by running the following command:

sudo certbot --apache

Certbot will ask for your email address (for renewal notifications) and prompt you to agree to the terms of service. After that, Certbot will automatically obtain the certificate, install it, and configure Apache to use the SSL certificate.

  • For Nginx

If you’re using Nginx, run the following command to obtain and install the certificate:

sudo certbot --nginx

Just like with Apache, Certbot will ask for your email address and agree to the terms of service. It will then obtain the certificate and configure Nginx automatically.

  • Manual Mode (for other servers)

If you are using a web server other than Apache or Nginx or need to configure the certificate manually, you can run Certbot in manual mode. This will guide you through the steps to generate the certificate:

sudo certbot certonly --manual

This mode will require you to place a challenge file in your web root or configure DNS records to prove domain ownership.

Test the SSL Configuration

Once you’ve obtained and installed the certificate, it’s important to test the SSL setup to ensure it’s working correctly.

  • Check SSL Certificate Status

You can check the status of your certificate using this command:

sudo certbot certificates

This will display details of your current certificates, including expiration dates.

  • Verify SSL Installation

To verify that your SSL certificate is properly installed, you can visit your website using HTTPS in a browser. You should see the padlock icon in the address bar, indicating that the connection is secure. Alternatively, use online SSL checkers like SSL Labs SSL Test to verify your server’s SSL configuration.

Automate Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, so it’s crucial to set up automatic renewal to avoid expiration. Fortunately, Certbot can automatically renew certificates.

  • Check the Renewal Command

To check if Certbot is set up to renew certificates automatically, use the following command to simulate the renewal process:

sudo certbot renew --dry-run

This will run a simulated renewal to ensure that the process will work when the certificate is actually due for renewal.

  • Automate with Cron (for Ubuntu/Debian)

Certbot installs a cron job automatically on Ubuntu/Debian systems to handle renewals. You can confirm that it’s set up by checking the cron jobs:

sudo crontab -l

You should see an entry like this for automatic renewal:

0 */12 * * * certbot renew --quiet

This ensures that Certbot will check for certificate renewal twice a day.

  • Automate with Systemd (for CentOS/RHEL)

For CentOS and RHEL, Certbot uses systemd timers. You can check the timer with:

sudo systemctl list-timers | grep certbot

You should see an entry like this:

certbot.timer <next scheduled time> <last run time>

This confirms that Certbot will handle automatic renewals.

Reconfigure SSL Settings

After setting up SSL, you may want to enhance security by tweaking your server’s SSL settings. For both Apache and Nginx, you can adjust your SSL configuration to disable weak ciphers and enforce stronger encryption.

  • For Apache

In the Apache configuration file (/etc/apache2/sites-available/your-site.conf), ensure that the following settings are included to enforce strong SSL/TLS settings:

SSLEngine on
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLProtocol all -SSLv2 -SSLv3
  • For Nginx

In the Nginx server block configuration (/etc/nginx/sites-available/your-site), add these settings for improved SSL security:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:...';
ssl_prefer_server_ciphers on;

After making changes to the configuration, don’t forget to restart Apache or Nginx to apply the changes.

Conclusion

In this article, we’ve covered how to configure Let’s Encrypt on Linux, from installation to certificate renewal. By following the steps in this guide, you can easily set up free SSL certificates on your Linux-based server, enabling HTTPS for your websites and enhancing security.

Let’s Encrypt is a valuable tool for securing your web applications without the need for costly certificates. With automated certificate renewal and easy configuration, Let’s Encrypt is the ideal solution for keeping your websites secure and trustworthy.

Tags:
Leave A Comment