How to Install Certbot SSL

Securing your website with HTTPS is no longer optional—it’s a necessity. Search engines like Google prioritize secure sites in rankings, modern browsers flag non-HTTPS sites as “Not Secure,” and users increasingly expect encrypted connections. One of the most reliable, free, and automated ways to obtain and manage SSL/TLS certificates is through Certbot. Developed by the Electronic Frontier Foundation (EFF) in partnership with the Internet Security Research Group (ISRG), Certbot simplifies the process of acquiring and renewing SSL certificates from Let’s Encrypt, a trusted certificate authority offering free domain-validated certificates.

This guide provides a comprehensive, step-by-step tutorial on how to install Certbot SSL on a variety of server environments, including Apache and Nginx, with best practices, real-world examples, and troubleshooting tips. Whether you’re managing a small blog or a high-traffic e-commerce platform, installing Certbot correctly ensures your site remains secure, compliant, and optimized for performance and search engine visibility.

Step-by-Step Guide

Prerequisites

Before installing Certbot, ensure your server meets the following requirements:

• A registered domain name pointing to your server’s public IP address via DNS A record
• A web server (Apache or Nginx) running and accessible over port 80 (HTTP)
• Root or sudo access to your server
• Firewall rules allowing inbound traffic on ports 80 and 443

It’s critical that your domain resolves correctly. Use tools like dig yourdomain.com or online DNS checkers to verify that your A record points to the correct IP. If your domain doesn’t resolve, Certbot will fail to validate ownership.

Step 1: Update Your System

Always begin by ensuring your system packages are up to date. This reduces the risk of compatibility issues and security vulnerabilities.

On Ubuntu or Debian:

sudo apt update && sudo apt upgrade -y

On CentOS, RHEL, or Fedora:

sudo yum update -y

or for newer versions using dnf:

sudo dnf update -y

Step 2: Install Certbot

Certbot is available via package managers on most Linux distributions. The recommended method is to use the official Certbot client from the EFF repository to ensure you receive the latest version with full feature support.

On Ubuntu 20.04 or later and Debian 10+:

sudo apt install certbot python3-certbot-nginx python3-certbot-apache -y

This installs Certbot along with plugins for Nginx and Apache, which automate configuration changes.

On CentOS 8 or RHEL 8+:

sudo dnf install certbot python3-certbot-nginx python3-certbot-apache -y

On older systems or if the above fails:

You can use the snap package manager (if available):

sudo snap install --classic certbot

Then create a symbolic link:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Always prefer the system package manager over snap when possible, as it integrates better with system updates and service management.

Step 3: Verify Web Server Configuration

Certbot requires your web server to be reachable on port 80 during the domain validation process. This is because Let’s Encrypt uses HTTP-01 challenge to confirm you control the domain.

For Apache:

Ensure the default virtual host is configured to serve content on port 80. Check your configuration:

sudo apache2ctl configtest

If you see “Syntax OK,” proceed. If not, fix the configuration errors before continuing.

For Nginx:

sudo nginx -t

Again, ensure the output says “syntax is OK” and “test is successful.”

Restart your web server if you made changes:

sudo systemctl restart apache2

or

sudo systemctl restart nginx

Step 4: Obtain and Install the SSL Certificate

Now that your server is ready, you can request your SSL certificate.

For Nginx users:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com with your actual domain. You can include multiple domains using additional -d flags. Certbot will automatically detect your Nginx configuration and prompt you to choose which virtual hosts to secure.

For Apache users:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Certbot will then:

• Connect to Let’s Encrypt’s servers
• Request a certificate for your domain(s)
• Place a temporary file on your server to prove domain ownership
• Automatically configure your web server to use the new certificate
• Update your server configuration to redirect HTTP to HTTPS

During the process, you’ll be prompted to enter an email address for important account notifications (e.g., certificate expiration). You may also be asked to agree to the Let’s Encrypt Subscriber Agreement—read and accept to proceed.

Upon successful completion, you’ll see output similar to:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
- Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
- Your certificate will expire on 2025-04-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again.
- To non-interactively renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Step 5: Test Your SSL Configuration

After installation, verify that your SSL certificate is working correctly.

Visit your site in a browser using https://yourdomain.com. You should see a padlock icon in the address bar. Clicking on it should confirm the certificate is valid and issued by “Let’s Encrypt.”

For deeper analysis, use online SSL testing tools:

• SSL Labs SSL Test
• Why No Padlock?
• HTBridge SSL Test

These tools check for certificate chain completeness, protocol support (TLS 1.2+), cipher strength, and vulnerabilities like Heartbleed or POODLE. Aim for an A+ rating on SSL Labs.

Step 6: Configure Automatic Renewal

Let’s Encrypt certificates expire every 90 days. Certbot includes a built-in renewal system that runs automatically via a cron job or systemd timer.

To test the renewal process without waiting:

sudo certbot renew --dry-run

If this command succeeds, your automatic renewal is configured correctly.

On systems using systemd (Ubuntu 16.04+, CentOS 7+), a timer is installed automatically. Check its status:

sudo systemctl status certbot.timer

You should see “active (running)” and “next trigger: in X days.”

On older systems using cron, check for the renewal job:

sudo crontab -l

You should see a line like:

0 12 * * * /usr/bin/certbot renew --quiet

This runs twice daily, but only renews certificates within 30 days of expiration, minimizing unnecessary load.

Best Practices

Use Strong Cipher Suites

While Certbot configures decent defaults, you can further harden your SSL configuration. For Nginx, edit your site’s config file (typically located in /etc/nginx/sites-available/yourdomain) and add or update the SSL section:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

For Apache, edit your SSL virtual host or ssl.conf:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
SSLHonorCipherOrder off
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionTimeout 10m

Always test your configuration after changes using SSL Labs.

Enable HSTS

HTTP Strict Transport Security (HSTS) tells browsers to only connect to your site via HTTPS, even if the user types “http://.” This prevents downgrade attacks.

In Nginx:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

In Apache:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Be cautious with the preload directive—it requires you to submit your domain to the HSTS preload list, which is permanent. Only enable it after confirming your site works flawlessly over HTTPS for all subdomains.

Redirect All HTTP Traffic to HTTPS

Certbot usually enables this automatically, but always verify. For Nginx, ensure you have a server block that redirects port 80:

server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}

For Apache:

<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>

Test redirects using curl:

curl -I http://yourdomain.com

You should see HTTP/1.1 301 Moved Permanently and a Location: https://... header.

Monitor Certificate Expiration

Even with automatic renewal, it’s wise to monitor your certificates. Set up a simple script that checks expiration dates and emails you if renewal fails.

Example script:

!/bin/bash
DOMAIN="yourdomain.com"
EXPIRY_DATE=$(openssl x509 -in /etc/letsencrypt/live/$DOMAIN/cert.pem -noout -enddate | cut -d= -f2)
EXPIRY_TIMESTAMP=$(date -d "$EXPIRY_DATE" +%s)
TODAY_TIMESTAMP=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_TIMESTAMP - TODAY_TIMESTAMP) / 86400 ))
if [ $DAYS_LEFT -lt 15 ]; then
echo "Warning: Certificate for $DOMAIN expires in $DAYS_LEFT days." | mail -s "SSL Certificate Expiry Alert" admin@yourdomain.com
fi

Run this daily via cron:

0 8 * * * /path/to/check-cert.sh

Use DNS Validation for Complex Setups

If your site is behind a CDN (like Cloudflare), load balancer, or reverse proxy that blocks direct HTTP access, HTTP-01 validation may fail. In such cases, use DNS-01 validation with a plugin like certbot-dns-cloudflare.

Install the plugin:

pip3 install certbot-dns-cloudflare

Create a credentials file:

mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini

Add:

dns_cloudflare_email = your-email@example.com
dns_cloudflare_api_key = your-global-api-key

Set permissions:

chmod 600 ~/.secrets/certbot/cloudflare.ini

Request certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d yourdomain.com -d *.yourdomain.com

This method is ideal for wildcard certificates and complex infrastructure.

Tools and Resources

Essential Tools for SSL Management

• Certbot – The official client for Let’s Encrypt. Available at certbot.eff.org.
• SSL Labs SSL Test – Comprehensive analysis of SSL/TLS configuration. ssllabs.com
• Why No Padlock? – Identifies mixed content (HTTP resources on HTTPS pages). whynopadlock.com
• Let’s Encrypt Documentation – Official guides and API specs. letsencrypt.org/docs
• SSL Config Generator – Generates secure server configs for Apache, Nginx, and more. ssl-config.mozilla.org
• dig / nslookup – Command-line tools to verify DNS resolution.
• cURL – Test HTTP headers and redirects from the terminal.

Monitoring and Alerting

For production environments, integrate SSL monitoring into your observability stack:

• UptimeRobot – Free SSL certificate expiration monitoring.
• Prometheus + Blackbox Exporter – Monitor SSL validity as part of infrastructure metrics.
• Checkmk / Zabbix – Enterprise monitoring tools with SSL check plugins.

Automation and CI/CD Integration

If you manage multiple servers or use infrastructure-as-code tools like Terraform or Ansible, automate Certbot deployment:

Ansible Example:

- name: Install Certbot on Ubuntu
apt:
name:
- certbot
- python3-certbot-nginx
state: present
- name: Request SSL certificate
command: certbot --nginx -d {{ domain }} -d www.{{ domain }} --noninteractive --agree-tos -m {{ admin_email }}
args:
chdir: /root
register: certbot_result
- name: Restart Nginx
systemd:
name: nginx
state: restarted
when: certbot_result.changed

Use this approach to deploy certificates consistently across staging and production environments.

Real Examples

Example 1: Securing a WordPress Site on Ubuntu with Nginx

A small business runs a WordPress site on Ubuntu 22.04 with Nginx. The site was previously accessible via HTTP only. The owner wants to improve SEO and security.

Steps Taken:

1. Updated DNS A record to point to the server IP.
2. Installed Certbot with Nginx plugin: sudo apt install certbot python3-certbot-nginx
3. Verified Nginx config with nginx -t.
4. Executed: sudo certbot --nginx -d mybusiness.com -d www.mybusiness.com
5. Accepted terms and entered admin email.
6. Certbot automatically modified Nginx config to enable HTTPS and redirect HTTP.
7. Tested site: All pages loaded with padlock icon.
8. Verified no mixed content using Why No Padlock? (fixed broken image links).
9. Added HSTS header in Nginx config.
10. Confirmed automatic renewal via certbot renew --dry-run.

Result: Site ranking improved by 18% in Google search results within 3 weeks. Bounce rate dropped by 22% due to increased user trust.

Example 2: Wildcard Certificate for Multi-Subdomain SaaS Platform

A SaaS startup hosts multiple client subdomains (e.g., client1.app.com, client2.app.com) behind Cloudflare. They need a wildcard certificate to cover all subdomains.

Steps Taken:

1. Obtained Cloudflare API key.
2. Installed certbot-dns-cloudflare plugin.
3. Created credentials file with API key.
4. Executed: sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d *.app.com
5. Configured Nginx to use the wildcard certificate for all subdomains.
6. Set up automated renewal via systemd timer.
7. Integrated certificate path into Terraform deployment scripts.

Result: Zero downtime during certificate renewals. New client onboarding automated with no manual SSL steps.

Example 3: Legacy Apache Server on CentOS 7

A legacy application runs on CentOS 7 with Apache 2.4. The server has no snap or modern package manager support.

Steps Taken:

1. Installed EPEL repository: sudo yum install epel-release
2. Installed Certbot: sudo yum install certbot
3. Manually configured Apache virtual host to serve challenge files.
4. Used standalone mode: sudo certbot certonly --standalone -d legacyapp.com
5. Manually edited Apache config to point to new certificate paths.
6. Added cron job for renewal: 0 12 * * * /usr/bin/certbot renew --quiet
7. Set up email alert script for expiration.

Result: Legacy system secured without upgrading OS. Certificate renewed automatically for over 18 months without incident.

FAQs

Is Certbot free to use?

Yes. Certbot is open-source software developed by the EFF. The SSL certificates it obtains from Let’s Encrypt are completely free. There are no fees for issuance, renewal, or support.

How often do Certbot certificates expire?

Let’s Encrypt certificates expire every 90 days. Certbot automatically renews them before expiration, typically 30 days in advance. You don’t need to manually renew unless the automated process fails.

Can I use Certbot with Cloudflare or other CDNs?

Yes, but with caveats. If Cloudflare is proxying your traffic (orange cloud), Certbot cannot validate via HTTP-01 because the challenge file won’t be served from your origin. Use DNS-01 validation instead, as shown in the wildcard example.

What if Certbot fails to obtain a certificate?

Common causes:

• Domain not resolving to the server
• Port 80 blocked by firewall or ISP
• Web server misconfiguration
• Already having a certificate for the same domain

Run sudo certbot certificates to list existing certificates. Use sudo certbot delete to remove conflicting ones. Check logs at /var/log/letsencrypt/letsencrypt.log for detailed error messages.

Can I get a wildcard certificate with Certbot?

Yes. Wildcard certificates (e.g., *.example.com) are supported using DNS-01 validation. You must use a plugin that integrates with your DNS provider (e.g., Cloudflare, Route 53, Namecheap).

Does Certbot work on Windows?

Certbot is designed for Linux/Unix systems. For Windows, use alternatives like Win-ACME (formerly WACS), which provides similar functionality for IIS servers.

Can I use Certbot for internal or private domains?

No. Let’s Encrypt only issues certificates for publicly resolvable domain names. Private domains (e.g., internal.local) require a private CA or commercial certificate authority.

How do I back up my Certbot certificates?

Certificates are stored in /etc/letsencrypt/live/yourdomain.com/. Copy the entire /etc/letsencrypt directory to secure offsite storage. Include the private keys—they’re required for restoration.

What’s the difference between fullchain.pem and cert.pem?

cert.pem is your domain’s certificate only. fullchain.pem includes your certificate plus the intermediate certificates needed to build a trusted chain back to Let’s Encrypt’s root. Always use fullchain.pem in your web server configuration.

Can I use Certbot with shared hosting?

Most shared hosts don’t provide shell access or root privileges, making Certbot installation impossible. Check if your host offers free Let’s Encrypt SSL through their control panel (e.g., cPanel, Plesk). If not, consider upgrading to a VPS or managed hosting with Certbot support.

Conclusion

Installing Certbot SSL is one of the most impactful security and SEO improvements you can make to any website. By automating the acquisition and renewal of free, trusted SSL certificates, Certbot removes the complexity and cost traditionally associated with HTTPS deployment. Whether you’re running a personal blog, an enterprise application, or a multi-subdomain SaaS platform, the steps outlined in this guide ensure your site remains secure, compliant, and optimized for modern web standards.

The combination of automatic renewal, strong cipher defaults, HSTS enforcement, and DNS validation for complex setups makes Certbot the gold standard for SSL management. Combined with proper monitoring and configuration hardening, you not only protect your users’ data but also signal to search engines and visitors that your site is trustworthy and professional.

Don’t wait until your certificate expires. If you haven’t installed Certbot yet, start today. Use this guide as your reference, test your configuration thoroughly, and enable automatic renewal immediately. In the modern web, HTTPS isn’t just a feature—it’s the baseline.