(This article is also available via the short link tomrei.ch/letsencrypt)
Years ago when moving my server to the cloud, I took notes on how to configure Lets Encrypt certificates on an Ubuntu box. Last week I purchased the domain tomrei.ch and, in the process of setting it up, went looking for these notes. Fortunately thanks to FindStr Frontend I was able to dig them out of deep storage, but I figured why not share them here in case it might help someone else down the line.
Before beginning, a disclaimer that these commands all worked as of a few years ago. I was able to verify that at least part of it is still working now, but I have not verified all of these steps recently, so take this as a rough guide.
Begin by installing Ubuntu Server with Apache 2 webserver, then configuring DNS (typically an A record) to point to your server IP. For the purposes of this article, lets say the domain name you're attempting to configure is example.tld. Before proceeding, when you navigate to http://example.tld, you should see the Apache start page (or whatever landing page you have replaced it with). I consider this part of the setup to be out of scope.
Run the following commands as root:
a2enmod sslservice apache2 restart
Paste the following into /etc/apache2/sites-enabled/000-default.conf:
<VirtualHost *:80>
DocumentRoot "/var/www"
ServerName example.tld
</VirtualHost>
Run the following commands as root:
service apache2 restartadd-apt-repository ppa:certbot/certbotapt-get updateapt-get install python-certbot-apachecertbot certonly --webroot -w /var/www -d example.tld
Paste the following into /etc/apache2/sites-enabled/000-default.conf:
<VirtualHost *:443>
ServerName example.tld
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.tld/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/example.tld/fullchain.pem
DocumentRoot "/var/www"
ServerAdmin webmaster@example.tld
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
This step is technically optional, but I highly recommend it. Test out your automatic cert renewal by running the following as root:
certbot renew --dry-run
You should see success. If you do not, chase down the errors before continuing.
Once you're sure renewal works as expected, as root run crontab -e
and add the following line:
0 */6 * * * certbot renew
That's pretty much it. There may be other ways to handle setup and configuration of Lets Encrypt certificates, but this method has worked flawlessly for me for the past few years.