Securing your website with HTTPS is essential for privacy, SEO ranking, and user trust. Let’s Encrypt provides free SSL/TLS certificates, and Certbot is the easiest way to automate their installation and renewal.
In this guide, you’ll learn how to install Certbot on Ubuntu 24.04 and issue SSL certificates for Apache, Nginx, or custom setups, including manual certificate-only generation and DNS challenge for wildcard domains.
Prerequisites
Before you start, ensure you have:
- A server running Ubuntu 24.04
- Root or sudo privileges
- A domain name (e.g.,
example.com) - Either Apache, Nginx, or another web service installed
Step 1: Update Your System
sudo apt update && sudo apt upgrade -yStep 2: Install Snapd
Certbot is officially distributed via Snap. Install and refresh Snap core:
sudo apt install snapd -y
sudo snap install core && sudo snap refresh coreStep 3: Install Certbot
Remove any APT-based Certbot installation first:
sudo apt remove certbot -yThen install the Snap version:
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotStep 4: Obtain an SSL Certificate
Certbot supports several modes depending on your setup. Choose one below 👇
A. Automatically Configure Apache
sudo certbot --apacheCertbot will:
- Detect Apache virtual hosts
- Request a Let’s Encrypt certificate
- Configure HTTPS automatically
B. Automatically Configure Nginx
sudo certbot --nginxThis command:
- Detects Nginx server blocks
- Obtains and installs the SSL certificate
- Configures automatic redirection from HTTP to HTTPS
C. Generate Certificate Only (No Auto Configuration)
If you prefer manual configuration, you can generate certificates only.
Option 1: Standalone Plugin
Use this if Apache or Nginx is stopped or not installed.
sudo systemctl stop apache2
sudo systemctl stop nginx
sudo certbot certonly --standalone -d example.com -d www.example.com
sudo systemctl start apache2
sudo systemctl start nginxOption 2: Webroot Plugin
Use this if your web server is running and serves files from /var/www/html.
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.comCertificates are saved at:
/etc/letsencrypt/live/example.com/Then manually edit your server config:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;D. Use DNS Challenge (Wildcard or Private Server)
If your site doesn’t serve content over port 80/443 or you want a wildcard certificate (e.g. *.example.com), use the DNS-01 challenge.
Manual DNS Challenge
sudo certbot certonly --manual --preferred-challenges=dns -d example.com -d '*.example.com'Certbot will show a TXT record similar to:
_acme-challenge.example.com TXT "GvF3v5YFh2oCqUZ4U9E2L7a4zv2sQKqBg0CqQe3x7aU"👉 Add this record in your DNS zone (through Cloudflare, Route53, etc.),
wait a minute for propagation, and then press Enter to continue.
Once validated, your wildcard certificate will be issued and stored in:
/etc/letsencrypt/live/example.com/Automated DNS Challenge (API-based)
If your DNS provider is supported by Certbot, you can automate this process.
For example, for Cloudflare:
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflareThen run:
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
-d example.com -d '*.example.com'/root/.secrets/cloudflare.ini should contain:
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKENMake sure it’s secure:
sudo chmod 600 /root/.secrets/cloudflare.iniStep 5: Verify SSL Installation
Open:
https://your-domain.comOr test your SSL setup using SSL Labs.
Step 6: Test Auto-Renewal
Let’s Encrypt certificates expire every 90 days, but Certbot auto-renews them.
You can test renewal with:
sudo certbot renew --dry-runStep 7: Troubleshooting
| Problem | Fix |
|---|---|
| Port 80/443 blocked | sudo ufw allow 'Nginx Full' or sudo ufw allow 'Apache Full' |
| DNS challenge fails | Verify your TXT record is correctly propagated |
| Renewal doesn’t work | Check sudo systemctl status snap.certbot.renew.service |
Conclusion
You’ve successfully installed Certbot on Ubuntu 24.04 and configured Let’s Encrypt SSL certificates for Apache, Nginx, or custom setups — including advanced DNS challenge support for wildcard or private domains.
Your site now benefits from secure HTTPS, automatic renewals, and modern encryption practices.
