Automate Let's Encrypt on a Cloud Server with certbot

Testez-le maintenant pour 1 euro seulement !

Vous avez de grands projets d’hébergement avec beaucoup de ressources ? Avec le CloudServer (VPS) de hosting.fr, ce n’est pas un problème. Grâce à notre vaste gamme d’outils d’hébergement, vous bénéficiez d’une liberté absolue. Bien entendu, vous pouvez choisir librement le système d’exploitation en appuyant sur un bouton.

Réserver un serveur cloud maintenant

Introduction

The Let’s Encrypt certification authority offers the possibility to obtain TLS/SSL certificates for free and automatically for servers. A disadvantage of Let’s Encrypt is the relatively short validity period of the certificates. This disadvantage can be compensated by using software that automates the renewal of certificates on the server. An appropriate software for this purpose is “certbot”, published by the Electronic Frontier Foundation (EFF). This article shows, as an example, how to configure certbot on a hosting.fr Cloud server using the Apache web server.

As an alternative to certbot, there is acme.sh, which does not require Python. A separate article for the installation of acme.sh is available here.

Prerequisites

You have a hosting.fr Cloud server with a valid DNS record, for example demo.mustermann-domain.de.
The server’s operating system is a current version of Debian or Ubuntu.

Installing Apache

Please connect via SSH as the root user on the server. If the sudo command is not available on the server, please install it with the commands:

apt update
apt install sudo

Please install Apache with the following commands, if not already done:

sudo apt update
sudo apt install apache2

To make the server accessible from the Internet, ports 80 and 443 must be open in the firewall.

Installing certbot

Removing old versions

Please ensure that no outdated version of certbot is installed on your system by running the following command:

sudo apt remove certbot

Installation

Please run the following commands to install certbot on your system:

wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

Variant 1

There are now two configuration variants. In the first variant, certbot can automatically configure Apache. In the second variant, you must manually configure the web server. To do this, run the following command:

sudo /usr/local/bin/certbot-auto --apache

After entering one of the two commands, other packages from the distribution will be installed:

...
0 upgraded, 53 newly installed, 0 to remove and 0 not upgraded.
74.6 MB of archives need to be downloaded.
After this operation, 229 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Please confirm by entering y.

After the packages are installed, you will be prompted to enter an email address. This address will be used to notify you if the certificate is not renewed in time:

Enter your email address (used for urgent renewal and security notices) (Enter 'c' to cancel):

Please enter an email address where you wish to receive notifications.

Please accept the Let’s Encrypt terms of use by entering A:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

Then, you will be prompted to agree to receive a newsletter from Let’s Encrypt:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you emails about our work
to encrypt the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

We recommend choosing the “N” option here.

You will now be prompted to specify for which domains you wish to request certificates. Please enter them as a comma-separated list:

No names were found in your configuration files. Please enter your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):

Please note that it is only possible to request certificates for domains pointing to the server’s IP.

When you have requested the certificates for the domains, a question will appear asking if unsecured requests to the web server should be redirected to a secure connection:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the web server configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

We recommend choosing option 2 here to set up a redirect. If no error occurs in certbot, the message “[…] Congratulations! Your certificate and chain have been saved at […]” will appear.

Finally, please restart Apache:

sudo systemctl restart apache2

Variant 2

In the second variant, certbot only downloads the necessary certificates and does not configure Apache. The configuration of Apache must therefore be done manually. For this, please enter the following command:

sudo /usr/local/bin/certbot-auto certonly --apache

The additional steps for configuring certbot are similar to those already described for the first variant.

Automating Certificate Renewal

To automate certificate renewal, a cron job must be created. A corresponding entry in the /etc/crontab file can be added using the following command:

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null

Test

To check if certbot is working correctly, please access your server’s domain in your browser, for example https://demoserver.mustermann-domain.de. If you do not receive a warning about an invalid certificate in your browser, it means the certificate installation was successful.

Additionally, you can use services such as https://www.ssllabs.com/ to check if the certificates in place are valid.

How Let’s Encrypt Works Behind the Scenes

Let’s Encrypt uses an automated process called ACME to verify that you control a domain before issuing a certificate. This is done by creating a temporary challenge file or DNS entry that the Let’s Encrypt servers check during validation. Once the verification succeeds, the certificate is generated and installed on your system. Because everything is automated, renewals follow the same process without requiring manual intervention. This is what makes Let’s Encrypt convenient for both small projects and production-level services.

Why Automatic Renewal Matters

Certificates issued by Let’s Encrypt are valid for 90 days, so renewals must be scheduled regularly to avoid service interruptions. Short validity periods improve security by limiting how long a compromised certificate remains useful. Auto-renewal ensures your website stays encrypted without needing to check expiration dates manually. Most setups include a renewal script or system timer, and it’s good practice to confirm it runs correctly, especially after server changes or updates.

Common Issues During Certificate Setup

Here are a few common problems users run into when configuring Let’s Encrypt:

Ports 80 or 443 are blocked by a firewall, preventing verification.
The domain points to the wrong IP address or hasn’t propagated yet.
Another service is already using the required ports.
DNS validation fails because a TXT entry was added incorrectly or not saved.

Being aware of these issues helps troubleshoot quickly if the certificate request doesn’t complete as expected.

When Let’s Encrypt May Not Be Enough

Let’s Encrypt works well for most web projects, but there are situations where a commercial certificate is still the better choice. If your company requires extended validation or wants a certificate that shows verified business details, those features aren’t available through Let’s Encrypt. Some enterprise environments also prefer long-term certificates to match internal policies. In those cases, a paid certificate may align better with compliance or documentation needs. For general hosting, though, Let’s Encrypt remains a reliable and secure choice.