LetsEncrypt Free SSL Certificate Tutorial



Let's Encrypt is "a free, automated, and open Certificate Authority." They provide free signed certificates as a trusted certificate authority. This tutorial walks through the process of installing certbot and requesting new certificates and renewing existing ones with Let's Encrypt.

If you are just looking to generate your own quick self-signed certificates, check out my tutorial on creating self-signed SSL certificates with OpenSSL.

Certificates signed by trusted authorities used to be expensive and out of reach for many people. Let's Encrypt has changed the landscape by providing free signed certificates that are trusted by all major root programs like Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With a certificate from Let's Encrypt, users will not get a warning message when they visit your site telling them you have an untrusted certificate.

Client options

There are several Let's Encrypt clients available. There is a Bash shell tool, getssl, but the most recommended client is Certbot. It is written in Python and makes the process simple. The full list of client options and libraries are available on the Let's Encrypt website. There are also libraries for Java, Python, Go, C, C++, and many other languages.

Always check the official Let's Encrypt documentation for latest instructions and tools. This is just my preferred method of installing and updating certificates with Let's Encrypt. This tutorial focuses on the Certbot client on Ubuntu, but there are official Certbot installation instructions for just about every platform you can think of if you are using a different system.

Installing Certbot on Ubuntu

The best way to install certbot on Ubuntu is to use the system package manager apt-get. You'll need to first add the apt repository and then refresh your package database using the update command as demonstrated below. After these commands you should be able to run certbot from the command line.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Getting a new certificate

You can run certbot with no arguments and it will prompt you with a menu. You do not need a web server running in order to get your certificate. If you run it with the certonly command and it will prompt you and ask how you want to procede. One of the options available is to spin up a standalone web server. You can then store the certificate and key and save it for use until whenever you are ready.

I prefer using the certonly method because I want full control over the configurations that use the certificate. I just want the certificate and key files and I don't want certbot to mess with any of my web server configurations.

# Key and certs will be in /etc/letsencrypt/live
sudo certbot certonly

Output snippet:

How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Renewing certificates

# Dry run if you are unsure of what changes will take place
sudo certbot renew --dry-run

# Renew certificates
sudo certbot renew

# Or you can simply run it the same way you did the first time
# It should detect you already have a cert and ask if you want
# to renew it with the same information
sudo certbot certonly

Using Linode DNS

This lets you bypass the webroot and web server methods. This is particularly useful if you need to make a cert for a domain pointing at a different server. For example, a cert that is good for www.devdungeon.com and xmpp.devdungeon.com even though they're pointing to different servers.

yum install certbot-dns-linode

Create INI file with creds following https://certbot-dns-linode.readthedocs.io/en/stable/

# Linode API credentials used by Certbot
# ~/.linode-certbot-config
dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64
dns_linode_version = 4

Then get the cert with:

certbot certonly --dns-linode --dns-linode-credentials ~/.linode-certbot-config


Let's Encrypt and the certbot tool have many more options than what is covered here. This was only a simple quick start and a reference for those who just need to get a simple certificate. If you only need a self-signed certificate, check out my tutorial on creating self-signed SSL certificates with OpenSSL.