Overview
Certbot is the recommended tool for obtaining and managing free SSL/TLS certificates from Let's Encrypt. It automates certificate issuance, installation, and renewal, making HTTPS easy to implement on your RamNode Cloud VPS.
Free Certificates
Let's Encrypt provides domain-validated certificates at no cost
Auto-Renewal
Certbot automatically renews certificates before expiration
Multi-Domain
Support for multiple domains and wildcard certificates
Easy Integration
Plugins for Nginx, Apache, and standalone mode
Prerequisites
- A RamNode Cloud VPS with a public IP address
- A registered domain name pointing to your server's IP (A record)
- Ports 80 (HTTP) and 443 (HTTPS) open in your firewall
- Root or sudo access to your server
Installing Certbot
Ubuntu/Debian
# Update package list
sudo apt update
# Install Certbot
sudo apt install certbot -y
# Install plugin for your web server
sudo apt install python3-certbot-nginx -y # For Nginx
sudo apt install python3-certbot-apache -y # For ApacheRHEL/AlmaLinux/Rocky Linux
# Enable EPEL repository
sudo dnf install epel-release -y
# Install Certbot
sudo dnf install certbot -y
# Install plugin for your web server
sudo dnf install python3-certbot-nginx -y # For Nginx
sudo dnf install python3-certbot-apache -y # For ApacheUsing Snap (Universal)
Snap provides the most up-to-date version of Certbot:
# Install snapd if not present
sudo apt install snapd -y
# Install Certbot via snap
sudo snap install --classic certbot
# Create symlink
sudo ln -s /snap/bin/certbot /usr/bin/certbotNginx Setup
Step 1: Ensure Nginx is configured
Make sure your domain is configured in Nginx:
# /etc/nginx/sites-available/example.com
server {
listen 80;
server_name example.com www.example.com;
root /var/www/example.com;
location / {
try_files $uri $uri/ =404;
}
}# Enable the site
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxStep 2: Obtain certificate
# Obtain and install certificate automatically
sudo certbot --nginx -d example.com -d www.example.com
# Or non-interactively with email
sudo certbot --nginx -d example.com -d www.example.com \
--non-interactive --agree-tos --email admin@example.comCertbot will automatically modify your Nginx configuration to use SSL and set up redirects.
Step 3: Verify configuration
# Test Nginx configuration
sudo nginx -t
# View the updated configuration
cat /etc/nginx/sites-available/example.com
# Test HTTPS
curl -I https://example.comApache Setup
Step 1: Ensure Apache is configured
Make sure your domain is configured in Apache:
# /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
<Directory /var/www/example.com>
AllowOverride All
</Directory>
</VirtualHost># Enable the site and required modules
sudo a2ensite example.com.conf
sudo a2enmod ssl rewrite
sudo systemctl reload apache2Step 2: Obtain certificate
# Obtain and install certificate automatically
sudo certbot --apache -d example.com -d www.example.com
# Or non-interactively
sudo certbot --apache -d example.com -d www.example.com \
--non-interactive --agree-tos --email admin@example.comStandalone Mode
Use standalone mode when you don't have a web server running, or want to obtain certificates separately:
# Stop any service using port 80
sudo systemctl stop nginx # or apache2
# Obtain certificate in standalone mode
sudo certbot certonly --standalone -d example.com -d www.example.com
# Certificates are saved to:
# /etc/letsencrypt/live/example.com/fullchain.pem
# /etc/letsencrypt/live/example.com/privkey.pem
# Start your web server
sudo systemctl start nginxManual Nginx SSL Configuration
After obtaining certificates in standalone mode:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
root /var/www/example.com;
location / {
try_files $uri $uri/ =404;
}
}
# HTTP to HTTPS redirect
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}Wildcard Certificates
Wildcard certificates (*.example.com) require DNS validation. This is useful for covering all subdomains with a single certificate.
Manual DNS Challenge
# Request wildcard certificate with DNS challenge
sudo certbot certonly --manual --preferred-challenges dns \
-d example.com -d "*.example.com"
# Certbot will ask you to create a TXT record:
# _acme-challenge.example.com with a specific value
# After adding the DNS record, wait for propagation and continueAutomated DNS Plugins
For automatic renewal, use a DNS plugin for your provider:
# Cloudflare example
sudo apt install python3-certbot-dns-cloudflare -y
# Create credentials file
sudo mkdir -p /etc/letsencrypt
sudo nano /etc/letsencrypt/cloudflare.ini
# Add your API token:
# dns_cloudflare_api_token = your-api-token
# Set permissions
sudo chmod 600 /etc/letsencrypt/cloudflare.ini
# Obtain wildcard certificate
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
-d example.com -d "*.example.com"Automatic Renewal
Let's Encrypt certificates are valid for 90 days. Certbot sets up automatic renewal via a systemd timer or cron job.
Verify Auto-Renewal
# Check systemd timer status
sudo systemctl status certbot.timer
# List scheduled timers
sudo systemctl list-timers | grep certbot
# Test renewal process (dry run)
sudo certbot renew --dry-runManual Renewal
# Renew all certificates
sudo certbot renew
# Renew specific certificate
sudo certbot renew --cert-name example.com
# Force renewal (even if not due)
sudo certbot renew --force-renewalPost-Renewal Hooks
Reload your web server after renewal:
# Create hook script
sudo nano /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
#!/bin/bash
systemctl reload nginx
# Make executable
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
# Or add to renewal config
sudo nano /etc/letsencrypt/renewal/example.com.conf
# Add: renew_hook = systemctl reload nginxTroubleshooting
Common Issues
DNS not pointing to server
# Verify DNS resolution
dig +short example.com
nslookup example.com
# Should return your server's IP addressPort 80 blocked or in use
# Check what's using port 80
sudo ss -tlnp | grep :80
sudo lsof -i :80
# Check firewall
sudo ufw status
sudo iptables -L -n | grep 80Rate limits exceeded
Let's Encrypt has rate limits. Use staging for testing:
# Use staging environment for testing
sudo certbot --nginx -d example.com --staging
# After testing, remove and get production cert
sudo certbot delete --cert-name example.com
sudo certbot --nginx -d example.comUseful Commands
# List all certificates
sudo certbot certificates
# Delete a certificate
sudo certbot delete --cert-name example.com
# Revoke a certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
# View certificate details
sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout
# Check certificate expiration
sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates
# View Certbot logs
sudo cat /var/log/letsencrypt/letsencrypt.logSecurity Best Practices
- • Always use HTTPS redirects to ensure all traffic is encrypted
- • Enable HSTS (HTTP Strict Transport Security) headers
- • Test your SSL configuration at SSL Labs
- • Keep Certbot updated for security patches
- • Monitor certificate expiration dates