Certbot is an open-source command line tool that is used for getting certificates for self-hosted servers that are not already given HTTPS by their providers. Developed by Electronic Frontier Foundation (EFF), Certbot can help switch an existing HTTP website to HTTPS and renew the HTTPS certificate as required.

Certbot can be used with a server, whether on-premise or cloud-based if it meets the following conditions:

• The server has a command line tool
• It has an HTTP website online and an open port 80
• It is a dedicated server/ virtual server/ cloud-hosted with SSH and sudo ability

This blog briefs the steps required to install and run Certbot for servers that run Ubuntu or Amazon Linux images.

Certbot on Ubuntu

Check if:

• Running Ubuntu > 18.04 with sudo privileges
• Apache server or domain name pointed at your server
• Port 80 and 443 are unused; if already used by the webserver service, then try to use Certbot webroot installation

INSTALLING CERTBOT

Step 1 Ubuntu recommends using snap packages for installation
sudo snap install core; sudo snap refresh core

Step 2 Delete any previous version of Certbot in the system
sudo apt remove certbot

Step 3 Install the Certbot
sudo snap install --classic certbot

Step 4 Link the Certbot command from the snap install directory to your path
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 5 Allow 443 port
sudo ufw allow 443

Step 6 Run Certbot to get certificates for different servers
sudo certbot certonly --standalone -d
sudo certbot --apache
sudo certbot --nginx
sudo certbot certonly --webroot

Step 7 Configure the application
sudo ls /etc/letsencrypt/live/your_domain

AUTO-RENEWAL

sudo nano /etc/letsencrypt/renewal/your_domain.conf
renew_hook= systemctl reload
sudo certbot renew -dry-run

Certbot on Amazon Linus 2

CREATE AMAZON LINUX AMI EC2 INSTANCE

Note: Creating an EC2 instance is not in the scope of this document. Please refer to this link.

SSH INTO EC2 INSTANCE

Step 1
ssh -i [email protected]
Or

Click Connect to login into your instance

sudo wget -r --no-parent -A 'epel-release-*.rpm'
https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/

Step 2
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm

Step 3
sudo yum-config-manager --enable epel*
sudo yum repolist all

Step 4 Edit the apache config file/etc/httpd/conf/httpd.conf. Locate the “Listen 80” directive and add the specific domain and subdomain details.

Step 5 Save and restart Apache
sudo systemctl restart httpd

INSTALL AND RUN CERTBOT

Step 1 Install Amazon extras repo for epel
sudo amazon-linux-extras install epel -y

Step 2 Install Certbot packages and dependencies
sudo yum install -y certbot python2-certbot-apache

Step 3 Run Certbot
sudo certbot

Step 4 Enter the admin email address for Certbot communication

AUTO-RENEWAL

Step 1 Open /etc/crontab
sudo crontab -e
0 7 * * * /usr/bin/certbot renew

TEST SSL

https://www.ssllabs.com/ssltest/

References

• https://certbot.eff.org/
• https://eff-certbot.readthedocs.io/en/stable/
• https://docs.aws.amazon.com/efs/latest/ug/gs-step-one-create-ec2-resources.html
• https://crontab.guru/