How to enable HTTPS on your web server using Certbot and Let's Encrypt certificate

In this post, I'll show you briefly what SSL/TLS certificate is and how to enable HTTPS on your Apache/NGINX web server using Certbot and Let's Encrypt certificate.

What SSL/TLS certificate is

An SSL/TLS certificate is a type of digital certificate that is used for web services to demonstrate ownership of it's domain.

To enable HTTPS on your website, you have to get the certificate file from a Certificate Authority (CA) like Let's Encrypt.

In order to get the certificate for your website's domain from Let's Encrypt, you need to demonstrate control over the domain. With Let's Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

Let's encrypt recommends to use Certbot ACME client. It can automate certificate issuance and installation with no downtime. It's easy to use, works on many operating systems, and has great documentation.

How to install Certbot

Ubuntu

You can install Certbot using snapd. It is a package manager for Linux. The snapd ships with Ubuntu by default so you don't need to install it.

$ sudo snap install core; sudo snap refresh core
$ sudo snap install --classic certbot

CentOS/RHEL(Red Hat Enterprise Linux)

You need to install snapd from each distribution's Extra Package for Enterprise Linux (EPEL) repository. The instruction for adding this is slightly different.

CentOS 8

$ sudo dnf install epel-release
$ sudo dnf upgrade
$ sudo yum install snapd
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap
$ sudo snap install core; sudo snap refresh core
$ sudo snap install --classic certbot

CentOS 7

$ sudo yum install epel-release
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap
$ sudo snap install core; sudo snap refresh core
$ sudo snap install --classic certbot

RHEL 8

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo dnf upgrade
$ sudo subscription-manager repos --enable "rhel-*-optional-rpms" --enable "rhel-*-extras-rpms"
$ sudo yum update
$ sudo yum install snapd
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap
$ sudo snap install core; sudo snap refresh core
$ sudo snap install --classic certbot

RHEL 7

$ sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo subscription-manager repos --enable "rhel-*-optional-rpms" --enable "rhel-*-extras-rpms"
$ sudo yum update
$ sudo yum install snapd
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap
$ sudo snap install core; sudo snap refresh core
$ sudo snap install --classic certbot

How to get the certificate and apply it

Certbot requires Cron utility. You need to check if it's installed before preceding.

$ command -v cron

If you have Cron installed, you will see output like below:

$ command -v cron
/usr/sbin/cron

If not, install the Cron using your distribution's default package manager.

After that, you need to check if port 80 and 443 are available. The Certbot recommends you to open them. You can check it using command below.

sudo ss -tulwn | grep LISTEN

Finally, run command below according to type of your web server.

$ sudo certbot --nginx     # For the NGINX web server.
$ sudo certbot --apache    # For the Apache web server.

Certbot will get a certificate from Let's Encrypt and apply it to your web server automatically.