Free SSL With Let's Encrypt

Let’s Encrypt is the standard way to add a free trusted SSL/TLS certificate to a website. If you run Apache on Ubuntu, Certbot can request the certificate, update the Apache virtual host, and set up automatic renewal.

This guide shows the practical path for a normal Apache site, plus the checks that keep SSL from breaking later.

Before You Start

Make sure these are true before running Certbot:

The domain already points to this server.
Apache is serving the site over normal HTTP.
Port 80 is reachable from the public internet.
Port 443 is open for HTTPS traffic.
You can SSH into the server and run sudo commands.
You know every hostname you want on the certificate, such as example.com and www.example.com.

Check DNS first:

dig +short example.com
dig +short www.example.com

The returned IP should be the public IP of the server where Apache is running.

Install Certbot for Apache

On current Ubuntu releases, Certbot recommends the Snap package because it stays current independently of the older Ubuntu apt package repositories.

sudo snap install core
sudo snap refresh core
sudo apt remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

If the symlink already exists, that last command may print an error. That is fine as long as Certbot runs:

certbot --version

Request the Certificate

Use the Apache installer and include each hostname that should work over HTTPS:

sudo certbot --apache -d example.com -d www.example.com

Certbot will:

Ask Let’s Encrypt for a certificate.
Prove you control the domain using an HTTP challenge.
Install the certificate files on the server.
Update the Apache site config.
Offer to redirect HTTP traffic to HTTPS.

For most public sites, choose the redirect option. Visitors who type http://example.com should land on the secure version automatically.

Verify HTTPS

Open the site in a browser:

https://example.com

Then check from the command line:

curl -I https://example.com

You should see a normal HTTP response such as 200, 301, or 302, not a certificate error.

To inspect the certificate dates and issuer:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

Check Automatic Renewal

Let’s Encrypt certificates expire quickly by design, so renewal is not optional. Certbot normally installs a systemd timer that renews certificates automatically.

Run a dry run:

sudo certbot renew --dry-run

If the dry run succeeds, the renewal path is working.

Check the timer:

systemctl list-timers | grep certbot

List certificates Certbot knows about:

sudo certbot certificates

Useful Apache Checks

Before blaming Let’s Encrypt, confirm Apache itself is healthy.

Check config syntax:

sudo apachectl configtest

Reload Apache:

sudo systemctl reload apache2

Check Apache status:

sudo systemctl status apache2 --no-pager

Confirm Apache is listening on HTTP and HTTPS:

sudo ss -tulpn | grep -E ':80|:443'

Common Problems

DNS points to the wrong server

Certbot validates the server reached by the domain. If DNS points somewhere else, validation will fail. Fix DNS first, then retry.

Port 80 is blocked

The default HTTP challenge needs inbound port 80. Check UFW, cloud firewall rules, security groups, and any upstream load balancer.

sudo ufw status

Apache has a broken virtual host

If Apache cannot parse its config, Certbot cannot safely edit and reload it. Run:

sudo apachectl configtest

Too many failed attempts

Let’s Encrypt has rate limits. Do not repeatedly issue new certificates while debugging. Fix DNS, firewall, and Apache config first. Use --dry-run for renewal testing.

What About Ubuntu 16.04 Xenial?

The original note for this article pointed to Certbot’s old Ubuntu Xenial + Apache page. Ubuntu 16.04 is end-of-life. If a public web server is still on Xenial, the right long-term fix is to upgrade the server to a supported release.

If you must keep an old Xenial server online temporarily, treat it as legacy infrastructure:

Snapshot and back it up before changes.
Restrict SSH access.
Move the site to a supported server as soon as possible.
Do not treat a working certificate as proof the server is safe.

Quick Command Summary

sudo snap install core
sudo snap refresh core
sudo apt remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --apache -d example.com -d www.example.com
sudo certbot renew --dry-run

Bottom Line

For a normal Apache site, the reliable path is simple: make sure DNS and ports are correct, install Certbot from Snap, run certbot --apache, choose HTTPS redirect, and verify renewal with a dry run.

The part most people skip is renewal testing. Do it once during setup so the certificate does not quietly expire later.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Free SSL With Let’s Encrypt