Let's Encrypt Cheatsheet

This guide helps you set up and manage Let’s Encrypt SSL certificates using Certbot.

1. Install Certbot

Ensure Certbot is installed. If not, install it with

sudo apt update
sudo apt install certbot

For Nginx or Apache, use:

sudo apt install python3-certbot-nginx 
sudo apt install python3-certbot-apache

2. Obtain a Certificate Using HTTP Challenge (Automatic)

For web servers like Nginx or Apache, use

sudo certbot --nginx -d example.com -d www.example.com

or

sudo certbot --apache -d example.com -d www.example.com

This method automatically configures SSL for your server.

3. Obtain a Wildcard Certificate Using DNS Challenge (Manual)

To obtain a Wildcard certificate (*.example.com), use DNS challenge

sudo certbot certonly --manual --preferred-challenges=dns \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos -d *.example.com

You will be prompted to add a TXT record to your DNS provider. Follow the instructions and continue.

4. Check Existing Certificates

sudo certbot certificates

5. Renew SSL Certificates

Let’s Encrypt certificates expire every 90 days. To renew manually

sudo certbot renew --dry-run 
sudo certbot renew            

6. Delete a Certificate

sudo certbot delete --cert-name example.com

7. Enable Auto-Renewal with Cron

To automate renewal, add a cron job

sudo crontab -e

Then add this line

0 3 * * * certbot renew --quiet

This runs renewal daily at 3:00 AM.

8. Configure Nginx with SSL Certificate

Edit your Nginx configuration

server {
    listen 443 ssl;
    server_name example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

Then restart Nginx

sudo systemctl restart nginx