Let’s Encrypt is a Certificate Authority that provides SSL certificates at no charge. Their certificates are trusted by all major browsers and are as safe as the certificates that you get from other providers.

Apart maybe from the minor inconvenience that you have to renew them every 3 months (which, frankly, can be automated), there are no good reasons why someone would choose to pay for a SSL certificate these days, instead of getting a free one from Let’s Encrypt.

In order to get or renew a certificate for your domain, you’ll have to demonstrate to Let’s Encrypt that you control that domain. This procedure can be automated by using special client software, which you run on your server. There are many clients to choose from, but the one I prefer is EFF’s Certbot.

Install Certbot

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot

Obtaining Certificates

To obtain a certificate you just need to provide an email address, where Let’s Encrypt will be sending you expiration notifications, and the domain(s) for which you want to get certificates.

sudo certbot certonly --standalone --email YOU@EMAIL_PROVIDER -d DOMAIN.TLD

You can also obtain certificates for multiple domains/subdomains using the -d option, e.g. -d DOMAIN.TLD -d www.DOMAIN.TLD.

Note that Certbot requires port 80 of your server to be free, so if you are using Apache or Nginx, you’ll have to stop them before running the above command, or you could tell Certbot to do that for you:

sudo certbot certonly --standalone --email YOU@EMAIL_PROVIDER -d DOMAIN.TLD --pre-hook "service nginx stop" --post-hook "service nginx start"

If Certbot passed the challenges and there were no other errors, you can find your new certificates and corresponding private keys under /etc/letsencrypt/live.

Renewing Certificates

Let’s Encrypt certificates expire after 3 months. Before that happens, though, you’ll receive an email from Let’s Encrypt telling you that it’s time to renew. Renewing a certificate is very easy, just run:

sudo certbot renew

Certbot will automatically determine which certificates are due for renewal and request new ones. If you want to renew all certificates, whether they are about to expire or not, you can run:

sudo certbot renew --force-renew

As before, if port 80 is being used on your system, make sure to stop all services that use that port, or tell Certbot to do that for you:

sudo certbot renew --force-renew --pre-hook "service nginx stop" --post-hook "service nginx start"

Dry Run

Certbot has a nice dry run feature as well, which you can use to test the above procedure and check for any errors before committing to actual changes. You can use the dry run option both when obtaining and renewing certificates.

sudo certbot renew --dry-run