iKVM
Secure Login
Network Cards
Hard drives
SSHFS
Basic DNS
Website DNS
Certbot SSL
Apache and PHP
Maria DB
Mail Server Basics
Mail Server SSL
Mail Server Filters
Checklist
Backup
Certbot SSL Certificates (Let's Encrypt)
Note: This article series covers configuring Debian 12 for hosting multiple domains and web sites on a single dedicated server. As such, some strategies may be inappropriate for your environment. Sockets for example are appropriate for communication between services hosted on the same machine but not suited to a set up with distributed services (where you'd use ports). Please consult the overview for more information.
[ Install ] [ Get ] [ Deploy ] [ List] [ Modify ] [ Revoke / delete ]
Originally, all websites were delivered over port 80 as insecure text but as processing power increased it became possible to encrypt the transport of HTML documents which is done over port 443.
The disadvantage of just delivering text is that a third party can snoop on your activity by simply intercepting communications between the client and the server.
Eventually, the World-Wide Web adopted encrypted transport as a standard and at the time the only way of getting a secure certificate was to pay an official Certificate Authority for it. The cost of that certificate plus the cost of newer hardware that could deliver the additional encryption meant that many people faced running their web services at a loss.
Introducing Let's Encrypt, a free Certificate Authority set up by those heroes at the Internet Security Research Group, a non-profit project to help enable the entire internet to have HTTPS.
Later this evolved into what is now Certbot which you'll be using if you want to get some free secure certificates for your websites and email. They automatically renew every 90 days and there's a few very simple commands you can use to manage your certificates.
In this article, we'll be installing Certbot on your server and discussing how you can get, list, update, deploy and revoke your certificates. Certbot will even configure your web site for SSL automatically if you wish. It's easy peasy!
Install Certbot
First off, update your package manager:sudo apt update
Install Certbot:
sudo apt install certbot
Before Certbot issues a certificate you have to prove that you own the domain name you're applying for certificates for.
If you've got Apache web server installed then you can use that, Certbot places a secret in your website folder which it then requests over the network, once it verifies you own the domain it will issue you a public and private key file covering the domain / subdomains you requested which it will then automatically renew for you every 90 days.
I usually make sure I've got an Apache web site running on port 80 before I request any SSL certificates and I've never had a problem.
It will optionally upgrade your insecure website to use the new certificate for you.
Make sure that you set up your domain name DNS and your server to host your web site before requesting a new certificate so that Certbot can request it from their end.
Get a certificate
The basic syntax to get a certificate is:sudo certbot certonly --apache -d mydomain.com -d www.mydomain.com
The certonly means that certbot will not upgrade your website for you but the --apache bit means it will use Apache to verify you own the domain before issuing your certificate.
After that, use the -d prefix to specify each domain you'd like to include on the certificate. Typically, for most websites you need the primary domain (x.com) and the www sub domain (www.x.com). I also get the mail sub-domain for my email accounts (mail.x.com).
If you omit the certonly bit, Certbot will also upgrade your insecure Apache web site to use the new certificate for you.
Deploy a certificate
To get your website automatically configured you'd use:sudo certbot --apache -d mydomain.com -d www.mydomain.com
Navigate to your website in your browser after you've run that command and you should see the icon that indicates you're now secure.
List certificates
To list the certificates on your server use:sudo certbot certificates
Notice that command will show you all the domains you already have on each certificate which is very useful when you want to add a name to your certificate. Certbot uses the bulk update method which means you need to specify all of the domains you would like on your certificate.
Update / modify certificate
To add the mail sub-domain to the certificate for mydomain.com you'd use:sudo certbot certonly --apache -d mydomain.com -d www.mydomain.com -d mail.mydomain.com
Remember Certbot uses the bulk update method so you have to include every domain name you want to cover on that certificate.
Occasionally, you might want to remove a certificate (for example sometimes the approval process will fail and leave half a certificate on your server eg. if the network connection is interrupted mid-test) or you don't need to host that site on your server anymore.
Revoke / delete a certificate
First list the certificates:sudo certbot certificates
Get the name of the certificate you would like to delete and revoke it as follows:
sudo certbot revoke --cert-name mydomain.com
Obviously, in the example above, the certificate is called mydomain.com. During the revocation process, you'll be asked if you also want to delete the certificate from your server.
That's all there is to it. Now you know how to manage the SSL certificates on your server. Told you it was simple didn't I?