Skip to Content

How to install free SSL with Let’s Encrypt?

You can automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates

 

1. Install snapd

    Installing snap on Red Hat Enterprise Linux (RHEL) / Centos

     Adding EPEL Repo RHEL

      The EPEL repository can be added to a RHEL 8 system with the following command:

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

$ sudo dnf upgrade

       The EPEL repository can be added to a RHEL 7 system with the following command:

$ sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 

    Adding the optional and extras repositories is also recommended:

$ sudo subscription-manager repos --enable "rhel-*-optional-rpms" --enable "rhel-*-extras-rpms"

$ sudo yum update

 

 Adding EPEL to CentOS

    The EPEL repository can be added to a CentOS 8   system with the following command:

$ sudo dnf install epel-release

$ sudo dnf upgrade

    The EPEL repository can be added to a CentOS 7 system with the following command:

$ sudo yum install epel-release

  Installing snapd

$ sudo yum install snapd

Once installed, the systemd unit that manages the main snap communication socket needs to be enabled: 

$ sudo systemctl enable --now snapd.socket

To enable classic snap support, enter the following to create a symbolic link between /var/lib/snapd/snap and /snap:

$ sudo ln -s /var/lib/snapd/snap /snap

 

  Installing snap on Debian 

    On Debian 10 (Buster) and Debian 9 (Stretch), snap can be installed directly from the command line:

$ sudo apt update

$ sudo apt install snapd 

  Installing snap on Ubuntu

     If you’re running Ubuntu 16.04 LTS (Xenial Xerus) or later, you don’t need to do anything. Snap is already installed and ready to go.

 

2. Ensure that your version of snapd is up to date

     Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.

sudo snap install core; sudo snap refresh core

For Centos7 Use the following command to ensure that you have the latest version of snapd.

sudo snap install core ; sudo snap refresh core

3. Remove certbot-auto and any Certbot OS packages 

       If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.

 

4. Install Certbot

    Run this command on the command line on the machine to install Certbot.

sudo snap install --classic certbot

"error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: /tmp/sanity-mountpoint-024761912: mount failed: Operation not permitted."  If you get this error while installing cerbot with snap, Please run the following commands to install certbot and continue from step 6. Usually  you will get the above error while trying to install certbot with snap package manager in containerized environment such as LXC,OpenVZ, etc.

sudo apt install certbot

sudo apt-get install python3-certbot-apache or sudo apt-get install python-certbot-apache

 5. Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

 

 6. Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.

Make sure to add virtualhost configuration  for the domain.

Let's encrypt will not work with the default configuration.
You should create a virtual host configuration and the configuration name should be the domain name.
For example: If your server name/domain name is example.com it should be example.com.conf
 

sudo certbot --apache

   

 7. Renew Let's Encrypt Certificates & Test automatic renewal

       The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

 

sudo certbot renew

 

The command to renew certbot is installed in one of the following locations :

/etc/crontab/

/etc/cron.*/*

systemctl list-timers

 
More detailed information  can be found in  Certbot documentation