Install Let’s Encrypt SSL on Ubuntu with OpenLiteSpeed auto renewal

Introduction: Let’s Encrypt SSL

Let’s Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public’s benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial shows how to install a Let’s Encrypt SSL certificate on an Ubuntu 20.04 server with OpenLiteSpeed (~Apache) using the Certbot installation wizard. After completing this tutorial, the server will have a valid certificate and redirect all HTTP requests to HTTPS.

Prerequisites: Let’s Encrypt SSL

Let’s Encrypt SSL: This tutorial assumes that you have deployed a Vultr Ubuntu server with OpenLiteSpeed or Apache, have a domain name pointing to your server IP address, and you are logged in as root.

Install Certbot: Let’s Encrypt SSL

Install Let’s Encrypt SSL: The recommended installation method for Certbot is with Snap.

1. Verify snapd is up to date. $ sudo snap install core; sudo snap refresh core
2. Remove certbot-auto and any Certbot OS packages. $ sudo apt-get remove certbot
3. Install Certbot with Snap. $ sudo snap install --classic certbot
4. Link Certbot to /usr/bin. $ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Choose how you’d like to run Certbot

Are you ok with temporarily stopping your website?

Yes, my web server is not currently running on this machine.

Stop your webserver, then run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine.

$ sudo certbot certonly --standalone

No, I need to keep my web server running.

If you have a webserver that’s already using port 80 and don’t want to stop it while Certbot runs, run this command and follow the instructions in the terminal.

$ sudo certbot certonly --webroot

To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.

Important Note

Install your certificate

You’ll need to install your new certificate in the configuration file for your webserver.

Test automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

The command to renew certbot is installed in one of the following locations:

/etc/crontab/ ;/etc/cron.*/* ;systemctl list-timers

In case the automatic renewal attempt fails, please check the automatic renewal request at /etc/letsencrypt/renewal/domain.com.conf to see if it has been configured correctly (as example shown below).

renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/saibabc.com
cert = /etc/letsencrypt/live/saibabc.com/cert.pem
privkey = /etc/letsencrypt/live/saibabc.com/privkey.pem
chain = /etc/letsencrypt/live/saibabc.com/chain.pem
fullchain = /etc/letsencrypt/live/saibabc.com/fullchain.pem 
Options used in the renewal process 
[renewalparams]
account = 56bb8680ab21b3db38f6d756e69139be
authenticator = webroot
webroot_path = /var/www/html/saibabc.com
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
saibabc.com = /var/www/html/saibabc.com
www.saibabc.com = /var/www/html/saibabc.com

Confirm that Certbot worked

To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.