Using CertBot and Let's Encrypt to obtain and update free SSL Certificates for your Debian Web Server

How to use CertBot and Let's Encrypt to install SSL Certificates for your self-hosted websites on Debian/Fedora Webservers (Works on Debian 9, 10, and 11, Fedora 34, 35, 36, and 37, either running as Proxmox LXC Containers or on Bare-Metal).

This tutorial assumes that you have a registered Domain and that your port forwarding is properly configures so that the server on which you are attempting to create the SSL Certificate resolves properly using public DNS Records.

Let's Encrypt only works for resolvable domains and not on IP addresses.

This tutorial also assumes that you are using NginX or Apache as your Web Server and has been properly configured for the specific site, substitute you@example.com for the admin email address for your domain and subdomain.yourdomain.com for the website you want to secure:

Step 1 - Installing CertBot

Run the following command as root (or use sudo as a non-root user):

For NginX on Debian:

apt install certbot python3-certbot-nginx -y

For NginX on Fedora:

dnf install certbot python3-certbot-nginx -y

For Apache on Debian

apt install certbot python3-certbot-apache -y

For Apache on Fedora

dnf install certbot python3-certbot-apache -y

Step 2 - Generate and Assign SSL Certificate to website

Run the following command to enable CertBot and generate your initial SSL Certificate as well as modify the NginX Virtual Host automatically to make use of the SSL Certificate. CertBot will also automatically renew the SSL Certificate when it expires:

For NginX:

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d subdomain.yourdomain.com

For Apache:

certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d subdomain.yourdomain.com

The command will generate a secure, signed SSL certificate for the site, install it and configure your Web server to forward port 80 (Insecure) to port 443 (SSL Secure). It's really that simple.

Removal - Remove installed certificates and stop renewing them

You might remove some of your sites from your Reverse Proxy configuration or Webserver and therefore no longer need the certificates to be renewed or even exist on your server.

The Command to remove the certificate is:

certbot delete --cert-name subdomain.yourdomain.com

Also, to be a good person and not waste CertBot calls to the LetsEncrypt servers, remove them from the renewal configuration by deleting the related .conf files in

rm /etc/letsencrypt/renewal/subdomain.yourdomain.com.conf

Hooks - Sometimes you might need to automate the running of certain commands before, during or after certificate renewals, these are called pre-, deploy- or post-hooks (In that order).

In order to create a hook, you need simply create an executable .sh file in any of the appropriate folder:

1. Pre-Renewal:

cd /etc/letsencrypt/renewal-hooks/pre

1. Deployment:

cd /etc/letsencrypt/renewal-hooks/deploy

1. Post-Renewal:

cd /etc/letsencrypt/renewal-hooks/post

Now simply create an .sh file (In our example we will change ownership of the specific certificate and restart Dovecot):

nano /etc/letsencrypt/renewal-hooks/post/example.sh

And edit it to call the shell and run the required commands:

#!/bin/sh
chown www-data:www-data /etc/letsencrypt/live/subdomain.domain.com/privkey.pem && chown www-data:www-data /etc/letsencrypt/live && chown www-data:www-data /etc/letsencrypt/archive && systemctl reload dovecot

Now change permissions to make the file executable:

chmod +x /etc/letsencrypt/renewal-hooks/post/example.sh

And that's it, CertBot should now run the appropriate command each and every time the certificate is renewed.