Introduction: Let’s Encrypt SSL
Let’s Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public’s benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial shows how to install a Let’s Encrypt SSL certificate on an Ubuntu 20.04 server with OpenLiteSpeed (~Apache) using the Certbot installation wizard. After completing this tutorial, the server will have a valid certificate and redirect all HTTP requests to HTTPS.
Prerequisites: Let’s Encrypt SSL
Let’s Encrypt SSL: This tutorial assumes that you have deployed a Vultr Ubuntu server with OpenLiteSpeed or Apache, have a domain name pointing to your server IP address, and you are logged in as root.
Install Certbot: Let’s Encrypt SSL
Install Let’s Encrypt SSL: The recommended installation method for Certbot is with Snap.
- Verify snapd is up to date.
$ sudo snap install core; sudo snap refresh core
- Remove
certbot-auto
and any Certbot OS packages.$ sudo apt-get remove certbot
- Install Certbot with Snap.
$ sudo snap install --classic certbot
- Link Certbot to
/usr/bin
.$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Choose how you’d like to run Certbot
Are you ok with temporarily stopping your website?
Yes, my web server is not currently running on this machine.
Stop your webserver, then run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine.
$ sudo certbot certonly --standalone
No, I need to keep my web server running.
If you have a webserver that’s already using port 80 and don’t want to stop it while Certbot runs, run this command and follow the instructions in the terminal.
$ sudo certbot certonly --webroot
To use the webroot plugin, your server must be configured to serve files from hidden directories. If
Important Note/.well-known
is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside/.well-known/acme-challenge
are served by the webserver.
Install your certificate
You’ll need to install your new certificate in the configuration file for your webserver.
Test automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
$ sudo certbot renew --dry-run
The command to renew certbot is installed in one of the following locations:
/etc/crontab/
;/etc/cron.*/*
;systemctl list-timers
In case the automatic renewal attempt fails, please check the automatic renewal request at /etc/letsencrypt/renewal/domain.com.conf
to see if it has been configured correctly (as example shown below).
renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/saibabc.com
cert = /etc/letsencrypt/live/saibabc.com/cert.pem
privkey = /etc/letsencrypt/live/saibabc.com/privkey.pem
chain = /etc/letsencrypt/live/saibabc.com/chain.pem
fullchain = /etc/letsencrypt/live/saibabc.com/fullchain.pem
Options used in the renewal process
[renewalparams]
account = 56bb8680ab21b3db38f6d756e69139be
authenticator = webroot
webroot_path = /var/www/html/saibabc.com
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
saibabc.com = /var/www/html/saibabc.com
www.saibabc.com = /var/www/html/saibabc.com
Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/
in your browser and look for the lock icon in the URL bar.
3 Bình luận
Good job. Rất là tốt. Tốt, tốt, tốt.
Tốt quá, rất hay, bình luận đúng
Rất hữu ích, tôi mò mãi không được, vào xem bài này xong thành công tốt đẹp luôn. Thanks