Secure HTTP Traffic with Certbot

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Deprecated

This guide has been deprecated and is no longer being maintained. Please refer to the updated version of this guide.

What is Certbot?

Certbot is a tool that automates the process of getting a signed certificate via Let’s Encrypt to use with TLS.

For most operating system and web server configurations, Certbot creates signed certificates, manages the web server to accept secure connections, and can automatically renew certificates it has created. In most cases, Certbot can seamlessly enable HTTPS without causing server downtime.

Before You Begin

Make sure you have registered a Fully Qualified Domain Name (FQDN) and set up A and AAAA DNS records that point to your Linode’s public IPv4 and IPv6 addresses. Consult our DNS Records: An Introduction and DNS Manager guides for help with setting up a domain.

Note
If you’re using Apache, change each instance of nginx to apache in the following sections.

Use Certbot on Debian

  1. Install the Certbot and web server-specific packages, then run Certbot:

    sudo apt install certbot python-certbot-nginx
    sudo certbot --nginx
    
  2. Certbot will ask for information about the site. The responses will be saved as part of the certificate:

    # sudo certbot --nginx
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator nginx, Installer nginx
    
    Which names would you like to activate HTTPS for?
    -------------------------------------------------------------------------------
    1: example.com
    2: www.example.com
    -------------------------------------------------------------------------------
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):
  3. Certbot will also ask if you would like to automatically redirect HTTP traffic to HTTPS traffic. It is recommended that you select this option.

  4. When the tool completes, Certbot will store all generated keys and issued certificates in the /etc/letsencrypt/live/$domain directory, where $domain is the name of the domain entered during the Certbot certificate generation step.

    Note
    Certbot recommends pointing your web server configuration to the default certificates directory or creating symlinks. Keys and certificates should not be moved to a different directory.

    Finally, Certbot will update your web server configuration so that it uses the new certificate, and also redirects HTTP traffic to HTTPS if you chose that option.

  5. If you have a firewall configured on your Linode, you can add a firewall rule to allow incoming and outgoing connections to the HTTPS service. On Debian, UFW is a commonly used and simple tool for managing firewall rules. Install and configure UFW for HTTP and HTTPS traffic:

    sudo apt install ufw
    sudo systemctl start ufw && sudo systemctl enable ufw
    sudo ufw allow http
    sudo ufw allow https
    sudo ufw enable
    

Use Certbot on Ubuntu

  1. Install the Certbot and web server-specific packages, then run Certbot:

     sudo apt update
     sudo apt install certbot python3-certbot-nginx
     sudo certbot --nginx
    
  2. Certbot will ask for information about the site. The responses will be saved as part of the certificate:

    # sudo certbot --nginx
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator nginx, Installer nginx
    
    Which names would you like to activate HTTPS for?
    -------------------------------------------------------------------------------
    1: example.com
    2: www.example.com
    -------------------------------------------------------------------------------
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):
  3. Certbot will also ask if you would like to automatically redirect HTTP traffic to HTTPS traffic. It is recommended that you select this option.

  4. When the tool completes, Certbot will store all generated keys and issued certificates in the /etc/letsencrypt/live/$domain directory, where $domain is the name of the domain entered during the Certbot certificate generation step.

    Note
    Certbot recommends pointing your web server configuration to the default certificates directory or creating symlinks. Keys and certificates should not be moved to a different directory.

    Finally, Certbot will update your web server configuration so that it uses the new certificate, and also redirects HTTP traffic to HTTPS if you chose that option.

  5. If you have a firewall configured on your Linode, you can add a firewall rule to allow incoming and outgoing connections to the HTTPS service. On Ubuntu, UFW is a commonly used and simple tool for managing firewall rules. Install and configure UFW for HTTP and HTTPS traffic:

     sudo apt install ufw
     sudo systemctl start ufw && sudo systemctl enable ufw
     sudo ufw allow http
     sudo ufw allow https
     sudo ufw enable
    

Use Certbot on CentOS 7

  1. Enable the EPEL repository:

    sudo yum install epel-release
    sudo yum update
    
  2. Install the Certbot and web server-specific packages, then run Certbot:

    sudo yum install python2-certbot-nginx nginx
    sudo certbot --nginx
    
  3. Certbot will ask for information about the site. The responses will be saved as part of the certificate:

    # sudo certbot --nginx
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer apache
    
    Which names would you like to activate HTTPS for?
    -------------------------------------------------------------------------------
    1: example.com
    2: www.example.com
    -------------------------------------------------------------------------------
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):
  4. Certbot will also ask if you would like to automatically redirect HTTP traffic to HTTPS traffic. It is recommended that you select this option.

  5. When the tool completes, Certbot will store all generated keys and issued certificates in the /etc/letsencrypt/live/$domain directory, where $domain is the name of the domain entered during the Certbot certificate generation step.

    Note
    Certbot recommends pointing your web server configuration to the default certificates directory or creating symlinks. Keys and certificates should not be moved to a different directory.

    Finally, Certbot will update your web server configuration so that it uses the new certificate, and also redirects HTTP traffic to HTTPS if you chose that option.

  6. If you have a firewall configured on your Linode, you may need to add Firewall Rules to allow incoming and outgoing connections to the HTTPS service. On CentOS, firewalld is the default tool for managing firewall rules. Configure firewalld for HTTP and HTTPS traffic:

     sudo firewall-cmd --zone=public --permanent --add-service=http
     sudo firewall-cmd --zone=public --permanent --add-service=https
     sudo firewall-cmd --reload
    

Use Certbot to Renew All Certificates

You can renew all existing certificates that will expire in under 30 days with the following command:

certbot renew

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.