How to Generate SSL Certificates with Let's Encrypt on Ubuntu

Learn how to generate SSL certificates with Let's Encrypt on Ubuntu using Certbot. We will also go over how to install Certbot and issues with using snapd on a VPS.

Table of Contents 📖

• What is Let's Encrypt?
• What is Certbot?
• Installing Certbot with Snap vs. APT
• Generating Certificate Files with Certbot

What is Let's Encrypt?

Let's Encrypt is a free and open certificate authority. Certificate authorities store, sign, and issue digital certificates. Digital certificates can be used to authenticate a website's identity and encrypt its connections.

What is Certbot?

Certbot is an automated certificate management tool. We can use it to obtain digital certificates from certificate authorities like Let's Encrypt.

Installing Certbot with Snap vs. APT

Certbot says that the best way to install it is to use snapd. Snapd stands for snap daemon and it is the background service that manages and maintains snaps, packages that are secure and easy to install. However, if you are using a VPS, snapd won't always work. This is because snaps rely on certain Linux kernel features that aren't available under containerized servers like those running under OpenVZ. You can check if your server is running under OpenVZ by running the following command.

sudo systemd-detect-virt

If OpenVZ is being used, the string openvz will be printed to the console. Because of this, we will use Ubuntu's Advancted Packaging Tool (APT) to install Certbot.

sudo apt update
sudo apt install certbot

The only difference with using APT is that it won't be the fully up to date version of Certbot, but it should work just fine.

Generating Certificate Files with Certbot

Now lets use Certbot to obtain a certificate from Let's Encrypt. Of course, the domain you supply here must be mapped to the IP address of the web server you are using.

certbot certonly --standalone -d <your_domain> --email <your_email>

• certbot - Package used to automatically configure HTTPS using Let's Encrypt.
• certonly - Short for certificate only. Obtains a certificate without installing it anywhere.
• --standalone - Tells Certbot to handle the http-01 challenge using its own built-in web server listening on port 80. Other options using Nginx, Apache, etc.
• -d - The domain we want to obtain a certificate for. You can add multiple -d options for multiple domains.
• --email - Email used for registration and notifications.

Passing this challenge proves that we control the domain and as a result, Certbot places the certificate inside the directory /etc/letsencrypt/live/<domain_name>. If we check the contents of this folder, we can see a few files.

ls /etc/letsencrypt/live/<your_domain>.com/
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

• cert.pem - The server certificate file.
• chain.pem - The intermediate certificate file.
• fullchain.pem - Combination of cert.pem and chain.pem. This is useful as certain software, such as Nginx, prefer having these two files combined.
• privkey.pem - The private key for the certificate. Needs to be kept safe and secure.

These files are all you need to add SSL to a server. Simply read the documentation of your desired service such as Nginx or Apache, and provide them.