Let’s Encrypt is the standard way to add a free trusted SSL/TLS certificate to a website. If you run Apache on Ubuntu, Certbot can request the certificate, update the Apache virtual host, and set up automatic renewal.
This guide shows the practical path for a normal Apache site, plus the checks that keep SSL from breaking later.
Before You Start
Make sure these are true before running Certbot:
- The domain already points to this server.
- Apache is serving the site over normal HTTP.
- Port
80is reachable from the public internet. - Port
443is open for HTTPS traffic. - You can SSH into the server and run
sudocommands. - You know every hostname you want on the certificate, such as
example.comandwww.example.com.
Check DNS first:
dig +short example.com dig +short www.example.com
The returned IP should be the public IP of the server where Apache is running.
Install Certbot for Apache
On current Ubuntu releases, Certbot recommends the Snap package because it stays current independently of the older Ubuntu apt package repositories.
sudo snap install core sudo snap refresh core sudo apt remove certbot sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
If the symlink already exists, that last command may print an error. That is fine as long as Certbot runs:
certbot --version
Request the Certificate
Use the Apache installer and include each hostname that should work over HTTPS:
sudo certbot --apache -d example.com -d www.example.com
Certbot will:
- Ask Let’s Encrypt for a certificate.
- Prove you control the domain using an HTTP challenge.
- Install the certificate files on the server.
- Update the Apache site config.
- Offer to redirect HTTP traffic to HTTPS.
For most public sites, choose the redirect option. Visitors who type http://example.com should land on the secure version automatically.
Verify HTTPS
Open the site in a browser:
https://example.com
Then check from the command line:
curl -I https://example.com
You should see a normal HTTP response such as 200, 301, or 302, not a certificate error.
To inspect the certificate dates and issuer:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
Check Automatic Renewal
Let’s Encrypt certificates expire quickly by design, so renewal is not optional. Certbot normally installs a systemd timer that renews certificates automatically.
Run a dry run:
sudo certbot renew --dry-run
If the dry run succeeds, the renewal path is working.
Check the timer:
systemctl list-timers | grep certbot
List certificates Certbot knows about:
sudo certbot certificates
Useful Apache Checks
Before blaming Let’s Encrypt, confirm Apache itself is healthy.
Check config syntax:
sudo apachectl configtest
Reload Apache:
sudo systemctl reload apache2
Check Apache status:
sudo systemctl status apache2 --no-pager
Confirm Apache is listening on HTTP and HTTPS:
sudo ss -tulpn | grep -E ':80|:443'
Common Problems
DNS points to the wrong server
Certbot validates the server reached by the domain. If DNS points somewhere else, validation will fail. Fix DNS first, then retry.
Port 80 is blocked
The default HTTP challenge needs inbound port 80. Check UFW, cloud firewall rules, security groups, and any upstream load balancer.
sudo ufw status
Apache has a broken virtual host
If Apache cannot parse its config, Certbot cannot safely edit and reload it. Run:
sudo apachectl configtest
Too many failed attempts
Let’s Encrypt has rate limits. Do not repeatedly issue new certificates while debugging. Fix DNS, firewall, and Apache config first. Use --dry-run for renewal testing.
What About Ubuntu 16.04 Xenial?
The original note for this article pointed to Certbot’s old Ubuntu Xenial + Apache page. Ubuntu 16.04 is end-of-life. If a public web server is still on Xenial, the right long-term fix is to upgrade the server to a supported release.
If you must keep an old Xenial server online temporarily, treat it as legacy infrastructure:
- Snapshot and back it up before changes.
- Restrict SSH access.
- Move the site to a supported server as soon as possible.
- Do not treat a working certificate as proof the server is safe.
Quick Command Summary
sudo snap install core sudo snap refresh core sudo apt remove certbot sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot sudo certbot --apache -d example.com -d www.example.com sudo certbot renew --dry-run
Bottom Line
For a normal Apache site, the reliable path is simple: make sure DNS and ports are correct, install Certbot from Snap, run certbot --apache, choose HTTPS redirect, and verify renewal with a dry run.
The part most people skip is renewal testing. Do it once during setup so the certificate does not quietly expire later.