Install Certbot for Apache

February 18, 2024

The Certbot tool is used with Let's Encrypt certificate authority to generate SSL/TLS certificates for free.
This guide explains how to manually install Certbot for Apache without using snap on a Linux system.

This method is particularly useful for systems with limited storage space and memory constraints.
It also allows for more granular control over the certificate update process.

These instructions have been tested on Debian 11 (Bullseye) and 12 (Bookworm) but it should work on other Debian based distributions as well.

Prerequisites

Before installing Certbot, ensure you have:

Root or sudo access
Apache web server installed
Basic command line knowledge

Installation Steps

1. Remove existing Certbot installation

If you have a previous Certbot installation, remove it first:

sudo apt remove certbot -y

2. Install Required Dependencies

Install Python and other necessary packages:

sudo apt install python3 python3-venv libaugeas0

3. Create Python Virtual Environment

Set up a dedicated virtual environment for Certbot:

sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip

4. Install Certbot and Apache Plugin

Install Certbot with its Apache plugin in the virtual environment:

sudo /opt/certbot/bin/pip install certbot certbot-apache

5. Create Global Command Link

Make the certbot command available system-wide:

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

6. Configure Automatic Renewal

Set up a cron job for automatic certificate renewal:

sudo cp /etc/crontab /etc/crontab.original
echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

This creates a backup of your crontab and adds a new renewal task that:

Runs twice daily (at midnight and noon)
Includes a random delay to prevent server overload
Executes silently with the -q flag

7. Install SSL Certificates

Generate and install certificates for your domains:

sudo certbot --apache

Follow the interactive prompts to:

Select domains for certification
Choose between HTTP to HTTPS redirect options
Confirm certificate installation

Verification

After installation, verify that Certbot is working:

sudo certbot certificates

This command should list all installed certificates and their expiration dates.

Additional Notes

Certificates are valid for 90 days
The automatic renewal attempts to renew certificates when they are 30 days from expiring
Manual renewal can be performed using: sudo certbot renew
Test the renewal process using: sudo certbot renew --dry-run

Resources

Official Certbot Documentation
- https://certbot.eff.org/instructions?ws=apache&os=pip
Electronic Frontier Foundation (EFF)
- https://www.eff.org/encrypt-the-web
Let's Encrypt Certificate Authority
- https://letsencrypt.org/