How to get free SSL certificates on Ubuntu with Let’s Encrypt


EDIT: The below is outdated and certbot should be used in a new installation.

Finally Let’s Encrypt went public with their open source, easy to use, SSL certification solution (Available for everybody, starting on the 3rd of December).
And yes, it’s free! As I’m writing this, Let’s Encrypt is still beta status, but working well in a productive environment. Check out their site to understand how it works.

I assume that you already know how to enable SSL on Apache and that you are comfortable at the command line.

So, let’s do this!

Install git

apt-get install git

Get Let’s Encrypt

git clone

Create a config file for Let’s Encrypt

vim /etc/letsencrypt/cli.ini

We put the following in cli.ini (change webroot-path to your webroot):

authenticator = webroot
webroot-path = /var/www/vhosts/
server =
email =


Generate your certificates

/your_path/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d -d www. certonly

Update your Apache configuration to use the new certificate

SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

Make sure that SSLEgine is set to on.

Reload the Apache config

service apache2 reload

Check if it worked!



The certificate will be good for 90 days. Let’s have cron renew it automatically every month.

crontab –e
@monthly /your_path/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d -d www. certonly && service apache2 reload

Congratulations! You have secured your site with a free SSL certificate which will be renewed every 30 days.

7 thoughts on “How to get free SSL certificates on Ubuntu with Let’s Encrypt”

  1. An unexpected error occurred.
    SSLError: (“bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)
    Please see the logfiles in /var/log/letsencrypt for more details.

  2. Two problems with your guide:

    1.) SSLCertificateKeyFile etc/letsencrypt/live/

    There is / missing before etc/letsencrypt/…

    2.) You need also to add a “SSLEngine on” otherwise you get the error “Oops, no RSA or DSA server certificate found for ‘′”

  3. Da kommt immer
    Use of –agree-dev-preview is deprecated.
    kann man es also aus der Config nehmen?

    1. Versuch es ohne –agree-dev-preview. Vielleicht ist diese Option nicht mehr notwendig. Wenn das Skript ohne Fehler läuft, dann ist alles in Ordnung.

Comments are closed.