This article explains how to generate a free Let’s Encrypt SSL certificate on Ubuntu 24.04.
Let’s Encrypt is a free, automated, open certificate authority (CA) that provides digital certificates for securing websites through HTTPS. It streamlines acquiring and installing SSL/TLS certificates, ensuring secure and encrypted connections.
Let’s Encrypt certificates, which have a default expiration of 90 days. You can automate the renewal process using the included Systemd Timer.
Let’s Encrypt encourages HTTPS usage by offering free certificates, enhancing internet security.
Install Certbot Client
The Certbot client is a tool that automates the certificate process for Let’s Encrypt on Linux systems.
Run the command below to install it.
sudo apt update
sudo apt install certbot
With the tool now installed, you can generate certificates for your server.
Generate a certificate with a web server
If you already have a web server like Nginx or Apache installed and running a website, you can use this method to generate a free certificate.
You must ensure that the server is accessible via port 80 for Let’s Encrypt verification from the Internet.
The command to generate a certificate is below, assuming a web server is installed.
sudo certbot certonly --webroot -w /var/www/html -d srv1.example.com
The command options:
- –webroot ==> [use a directory under webroot].
- -w /var/www/html ==> [working directory].
- -d ==> srv1.example.com [fully qualify server hostname].
When you press the enter key, you will see similar prompts like the ones below.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
# for only initial using, register your email address and agree to terms of use
# specify valid email address
(Enter 'c' to cancel): admin@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# agree to the terms of use
(Y)es/(N)o: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: A
Account registered.
Requesting a certificate for srv1.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/srv1.example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/srv1.example.com/privkey.pem
This certificate expires on 2025-03-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
...........
...........
After generating your free SSL certificates, they will be stored at the location provided with the fully qualified server hostname. [/etc/letsencrypt/live/[severname]/]
Generate a certificate without a web server
You can create a standalone certificate with web server capabilities even if you do not have a web server installed.
The server must still be accessible from the internet on port 80 even without a web server.
The command to do that is below.
sudo certbot certonly --standalone -d srv1.example.com
The command options:
- –standalone ==> [use web server features].
- -d ==> srv1.example.com [fully qualify server hostname].
If the command is successful, you will see a message similar to the one below.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for srv1.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/srv1.example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/srv1.example.com/privkey.pem
This certificate expires on 2025-03-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your free SSL certificates should be ready to use.
Renewal
The Certbot tool has a system timer feature that automatically renews the certificates on the machine.
There’s nothing to do, it should automatically renew your certificates.
Run the command below to check its status.
systemctl status certbot.timer
You should see something similar to the one below.
* certbot.timer - Run certbot twice daily
Loaded: loaded (/usr/lib/systemd/system/certbot.timer; enabled; preset: en>
Active: active (waiting) since Mon 2025-03-10 10:13:26 UTC; 1min 17s ago
Trigger: Tue 2025-03-20 10:21:37 UTC; 14h left
Triggers: * certbot.service
To manually renew the certificates, run the command below.
sudo certbot renew
To convert certificates to PKCS12 (PFX) format for Windows and other systems, run the command below.
sudo openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out srv1.example.com.pfx
That should do it!
Conclusion:
In summary, generating a free Let’s Encrypt SSL certificate on Ubuntu 24.04 is a straightforward process that enhances your website’s security. Here are the key points to remember:
- Free Service: Let’s Encrypt provides cost-free SSL/TLS certificates to improve internet security.
- Automated Renewal: Certbot automates the certificate renewal process, ensuring your site remains secure without manual intervention.
- Flexible Options: Certificates can be generated with or without an existing web server, offering flexibility based on your server setup.
- Scheduled Tasks: Certbot creates system timers to manage the automatic renewal of certificates with minimal user input.
- PKCS12 Conversion: Certificates can be converted to different formats, such as PKCS12 (PFX), for wider compatibility across various systems.
By following the outlined steps, you can successfully secure your website with HTTPS, creating a safer online experience for your visitors.
Leave a Reply