How to Install an ACME SSL Certificate on Apache & NGINX using Certbot?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Apache/NGINX on Linux ACME SSL

Without a valid SSL certificate, anyone who visits your site is at risk, and your search rankings are severely impacted. If a website owner, DevOps programmer, and sysadmin fail to implement ACME-based SSL automation, then they will have to renew certificates manually every 90 days, which results in outages if they forget.

Certbot resolves this by enabling automatic certificate issuance and renewal from ACME-compatible certifying authorities such as Sectigo, DigiCert and Let’s Encrypt, directly from your web server.

Why Does Your Choice of Installation Method Matter?

Your choice of installation method is really important. The way you install Certbot affects whether you get updates and security patches automatically.

There are three ways to install Certbot: using dnf package managers, snap or Python’s pip. Each of these methods works differently when you are using it for real.

  • apt, dnf or yum: This method is fast. Works well with your system but it means you will be using an older version of Certbot that comes from your operating system. If you use Debian, Ubuntu or CentOS, this is what you get by default.
  • Snap: The people who make Certbot recommend using snap. It updates Certbot automatically in the background, so you always have the latest version. It works on Red Hat systems.
  • Pip: This method is best for experienced users who want to create their environments or custom workflows. You need to know Python to use pip.

If you are setting up a production server and you want to make sure you have the version of Certbot, you should use snap. Only use apt or dnf if your security rules do not allow you to get packages from sources.

No matter which method you choose, you need to have root access to your operating system. If you do not have root access, Certbot cannot create certificate files. Change your web server settings. You need root access to use Certbot with any of these methods.

Install Certbot on Debian, Ubuntu, or Similar Systems

Certbot installation on Debian-based systems requires choosing between apt and snap. Both work, but Snap gives you the version that EFF actively maintains.

Method 1: Using apt (Debian/Ubuntu)

Update your package list first. A stale list causes dependency errors.

sudo apt update

Then install Certbot with the plugin for your web server. Apache and NGINX each need their own plugin; installing the wrong one breaks automatic configuration.

For Apache:

sudo apt install certbot python3-certbot-apache

For NGINX:

sudo apt install certbot python3-certbot-nginx

Method 2: Using snap (Recommended for Debian/Ubuntu)

Ensure snapd is current before installing. An outdated snapd causes the Certbot snap to install incorrectly.

sudo snap install core
sudo snap refresh core

Install Certbot with the –classic flag. This flag grants Certbot the system permissions it needs to read and write SSL files.

sudo snap install --classic certbot

Then create a symbolic link so the system can find the certbot command globally:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Without this symlink, every Certbot command fails with a “command not found” error.

Install Certbot on Red Hat, CentOS, AlmaLinux, or Rocky Linux

Red Hat-based systems require enabling the EPEL repository first. EPEL Extra Packages for Enterprise Linux is the source from which Certbot lives. Without it, dnf and yum return a “no package available” error.

Method 1: Using dnf or yum (Red Hat family)

Enable EPEL:

sudo dnf install epel-release

OR on older systems:

sudo yum install epel-release

Clean and refresh the repository cache. This step forces dnf or yum to pull the updated package list from EPEL:

bashsudo dnf clean all && sudo dnf update

OR:

sudo yum clean all && sudo yum update

Now install Certbot with the correct web server plugin:

For Apache:

sudo dnf install certbot python3-certbot-apache

OR:

sudo yum install certbot python-certbot-apache

For NGINX:

sudo dnf install certbot python3-certbot-nginx

OR:

sudo yum install certbot python-certbot-nginx

Method 2: Using snap (Recommended for Red Hat family)

The snap installation process on Red Hat is identical to that of Debian. Refresh snapd, install Certbot with –classic, and create the symlink:

sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Two Configuration Modes and Which Should You Use?

Certbot runs in two modes: automatic and manual. Automatic mode handles everything certificate issuance, web server configuration, and HTTP validation file creation. Manual mode issues the certificate but leaves server configuration to you.

Use automatic mode unless your NGINX or Apache configuration is non-standard. Manual mode is for situations where Certbot’s automatic edits to nginx.conf or apache2.conf would conflict with existing settings.

Run the Certbot Command to Issue and Install the Certificate

A single Certbot command issues the certificate from your ACME provider and configures your web server. Every flag in this command is required. Missing one causes the request to fail.

For NGINX with Sectigo as the ACME provider:

sudo certbot --nginx --non-interactive --agree-tos \
--email [email protected] \
--server https://acme.sectigo.com/v2/DV \
--eab-kid <your-eab-kid> \
--eab-hmac-key <your-hmac-key> \
--domain example.com \
--domain www.example.com \
--domain api.example.com \
--cert-name my-example-certificate

For Apache, replace –nginx with –apache. Everything else stays the same:

sudo certbot --apache --non-interactive --agree-tos \
--email [email protected] \
--server https://acme.sectigo.com/v2/DV \
--eab-kid <your-eab-kid> \
--eab-hmac-key <your-hmac-key> \
--domain example.com \
--domain www.example.com \
--domain api.example.com \
--cert-name my-example-certificate

Verify After Installation

Once Certbot has successfully run, three things can be done to verify that the certificate is in active use.

First, browse your domain. If the padlock icon is visible in Chrome, Firefox or Safari, then HTTPS is live.

Secondly, review the certificate information. In Chrome: Click on the lock and choose “Connection is secure → Certificate is valid. The issuer is displayed as the CA that your ACME account is based on, such as Sectigo, DigiCert, etc.

Thirdly, verify the auto-renewal timer. When installed, Certbot provides a systemd timer or cron job on most systems. Run this to verify:

sudo systemctl status certbot.timer

Active (waiting) means automatic-renewal is in progress. If it is not renewed, your certificate will expire after 90 days, and all visitors to your site will see a warning about the security of your certificate.

Conclusion

Getting an ACME SSL certificate with Certbot is a way to manage certificates. It does everything for you, from getting the certificate to installing and renewing it. This helps keep your website safe and stops certificates from expiring.

You can use Apache or NGINX. If you set up your SSL correctly, it will keep your visitors safe and make them trust your website. If you want an SSL solution, you can contact us to buy SSL certificates. We can also help you set them up and manage them over time.

SSL Certificate Installation Service

Get our Affordable SSL Installation Service and Let our Experts Configure or Install your SSL Cert to Web Server.

SSL/TLS Certificates Installation @ $29.99