Skip to content

About Let's Encrypt

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA).

Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

About Certbot

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.


First thing, we install certbot client by typing apt install -y certbot.

He is necessary to order our futur SSL certificates.

Order SSL certificates

They several way to get a SSL certificate.

The advantage of standalone mod it is no dependant of webserver type or if applications still already running on the server.

You must close webserver or applications they use PORT 80 (for –preferred-challenge http) or PORT 443 (for –preferred-challenge tls-sni). Check with netstat if the port is free or busy.

If nginx is already installed you can type systemctl stop nginx.service before to order your certificate and relaunch it after the order or you can use prehook & posthook arguments like as certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start".

By port 443
sudo certbot certonly --standalone --rsa-key-size 4096 --preferred-challenge tls-sni -d

In case where you have this return Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. it is because you have an older version of certbot installed just upgrade it on the last version to works fine.

By port 80
sudo certbot certonly --standalone --rsa-key-size 4096 --preferred-challenge http -d

When you have ordered your certificates they're stored under /etc/letsencrypt/live/ as you can see beneath.

ls -l /etc/letsencrypt/live/
total 4
lrwxrwxrwx 1 root root  42 Sep 12 00:32 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root  43 Sep 12 00:32 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root  47 Sep 12 00:32 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root  45 Sep 12 00:32 privkey.pem -> ../../archive/
-rw-r--r-- 1 root root 543 Sep 12 00:32 README


Now you can use your certificates everywhere where you need to have encryption layer with SSL ! In more let's encrypt is totally open-source and cost-free.