Let's Encrypt with Apache
This guide explains how to install a free Let's Encrypt SSL certificate on a Linux server running Apache using Certbot — including automatic renewal.
Prerequisites: Apache must be installed and running. The A record of your domain must point to your server's IP. Ports 80 and 443 must be open in the firewall.
Step 1: Install Certbot
Install Certbot and the Apache plugin via the package manager.
Debian / Ubuntu
Terminal
apt update
apt install certbot python3-certbot-apache
CentOS / AlmaLinux / Rocky Linux
Terminal
dnf install epel-release
dnf install certbot python3-certbot-apache
Step 2: Enable the SSL module in Apache
Required on Debian/Ubuntu only — the SSL module must be enabled.
Terminal
a2enmod ssl
systemctl restart apache2
Step 3: Issue the certificate
Certbot issues the certificate and configures Apache automatically.
Replace your-domain.com with your actual domain name:
Terminal
certbot --apache -d your-domain.com -d www.your-domain.com
Certbot asks for an email address and whether to redirect HTTP to HTTPS. Choose 2 for the automatic redirect.
Step 4: Verify the installation
Test the Apache configuration and reload.
Terminal
apache2ctl configtest
systemctl reload apache2
Open your domain in a browser — you should see https:// and the padlock icon.
Step 5: Verify automatic renewal
Certbot renews certificates automatically — verify the timer is active.
Terminal
systemctl status certbot.timer
Test automatic renewal with a dry run:
Terminal
certbot renew --dry-run
If --dry-run succeeds, automatic renewal is working correctly.
Manually renew the certificate
If a manual renewal is needed.
Terminal
certbot renew
systemctl reload apache2
Common error messages
| Error | Cause & fix |
|---|---|
| Connection refused on port 80 | Port 80 is blocked by the firewall. Open it in iptables or nftables. |
| Could not reliably determine the server's fully qualified domain name | Add ServerName your-domain.com to the Apache configuration and restart Apache. |
| DNS problem: NXDOMAIN | The domain's A record does not point to this server. Check DNS and wait for propagation. |
| AH00526: Syntax error | Certbot modified the Apache config incorrectly. Check with apache2ctl configtest and fix manually. |
Further Documentation
The full Certbot documentation is available on the official website.