Tom's Homepage > Articles

2023-08-31: Installing & Configuring Lets Encrypt on Ubuntu

(This article is also available via the short link


Years ago when moving my server to the cloud, I took notes on how to configure Lets Encrypt certificates on an Ubuntu box. Last week I purchased the domain and, in the process of setting it up, went looking for these notes. Fortunately thanks to FindStr Frontend I was able to dig them out of deep storage, but I figured why not share them here in case it might help someone else down the line.

A Disclaimer...

Before beginning, a disclaimer that these commands all worked as of a few years ago. I was able to verify that at least part of it is still working now, but I have not verified all of these steps recently, so take this as a rough guide.

Getting Started

Begin by installing Ubuntu Server with Apache 2 webserver, then configuring DNS (typically an A record) to point to your server IP. For the purposes of this article, lets say the domain name you're attempting to configure is example.tld. Before proceeding, when you navigate to http://example.tld, you should see the Apache start page (or whatever landing page you have replaced it with). I consider this part of the setup to be out of scope.

Install SSL Packages

Run the following commands as root:

Configure Plaintext Virtualhost

Paste the following into /etc/apache2/sites-enabled/000-default.conf:

<VirtualHost *:80>
  DocumentRoot "/var/www"
  ServerName example.tld

Install Certbot

Run the following commands as root:

Configure SSL Virtualhost

Paste the following into /etc/apache2/sites-enabled/000-default.conf:

<VirtualHost *:443>
  ServerName example.tld
  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.tld/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.tld/privkey.pem
  SSLCACertificateFile /etc/letsencrypt/live/example.tld/fullchain.pem
  DocumentRoot "/var/www"
  ServerAdmin webmaster@example.tld
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

Test Renewal

This step is technically optional, but I highly recommend it. Test out your automatic cert renewal by running the following as root:

certbot renew --dry-run

You should see success. If you do not, chase down the errors before continuing.

Add Cron Job For Automatic Renewal

Once you're sure renewal works as expected, as root run crontab -e and add the following line:
0 */6 * * * certbot renew

Wrapping Up

That's pretty much it. There may be other ways to handle setup and configuration of Lets Encrypt certificates, but this method has worked flawlessly for me for the past few years.