Hint: You can use the Tab key to autocomplete all filenames and directories, so you don't have to type in the complete file or directory name manually.

This tutorial was last checked and updated on December 9, 2018.

Are you looking for very good, powerful and cheap servers? I've been renting my servers at Contabo for 5 years now and I can highly recommend Contabo to everyone!
  1. If you havn't already done so, download the program "PuTTY".
  2. Connect to your root server or VPS/vServer via SSH using PuTTY. To do this, open PuTTY and enter the domain or IP address of your server in the text box named "Host Name (or IP address)". Then click the "OK" button below.
  3. Add the Debian Backports repository needed to install the Certbot using this command:
    For Debian 8: echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
    For Debian 9: echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
  4. Update your package lists with the command apt-get update.
  5. Now install any available updates of the packages already installed on your server using the command apt-get upgrade -y.
  6. Then install the software called "certbot". This software is needed to request and renew your SSL certificates. In addition, Certbot can also automatically set up/include these SSL certificates in your web server configuration (for example, Apache2). The installation command is:
    For Debian 8: apt-get install python-certbot-apache -t jessie-backports -y
    For Debian 9: apt-get install python-certbot-apache -t stretch-backports -y
  7. There are several ways to request SSL certificates and verify the domain ownership. If you, for example, use an Apache2 web server, you can also have the certificates automatically included in the Apache2 configuration after they have been issued. With this method, the Apache2 web server is also used to verify the domain ownership. Another method is the standalone web server, which is provided by the Certbot for the duration of the domain verification (so, just a few seconds). If you use this method, you'll have to set up/include the certificate files manually at the end.
  8. Method 1 - Automatic request and configuration (Apache2 web server):
    1. Request the SSL certificate with the following command: certbot --authenticator webroot --installer apache. You can already specify the web directories and domains here by using the parameters "-w" and "-d". If you don't specify anything using these parameters, you'll be interactively asked for the domains and the corresponding web directories (needed to verify the domain ownership). So, if you'd like to request an SSL certificate for the domain testdomain.com as well as the subdomain www.testdomain.com and the web directory of this domain is located at "/var/www/html/testdomain.com", the command including all necessary information would be the following: certbot --authenticator webroot --installer apache -w /var/www/html/testdomain.com -d testdomain.com -d www.testdomain.com
    2. If you run the Certbot command for the first time, you must register an Let's Encrypt account. Type in your e-mail address and confirm your input by pressing enter.
    3. When using Certbot for the first time, you must also hit the "A" key and press enter to confirm that you accept the license terms.
    4. Now you'll be asked - also only on the first use - if you'd like to sign up for a newsletter of the Electronic Frontier Foundation. If you want that, press the "Y" key, if not, use the "N" key. Then press enter again.
    5. If you haven't already specified any domains and web directories using the parameters "-d " and "-w ", then the Certbot will automatically search for domains and display them (numbered). Now enter the numbers of the domain(s) for which you want to request an SSL certificate (comma separated). If no domains were found, then enter the domains yourself (also comma separated).
    6. You'll then be asked for each domain's corresponding web directory for the domain verification. If you've selected multiple domains and you enter a web directory, you can either choose the same web directory or specify a new one for each of the following domains. Use the numbers that are displayed next to the options (1 = specify a new directory).
    7. Note: If you've selected multiple domains for the SSL certificate request, only one certificate will be issued, which includes all the specified domains. The file name of this certificate is the domain name selected first.
    8. Now you'll be asked if all HTTP requests should be automatically redirected to the HTTPS version of the URL. If you want this, enter the number 2 and press enter. Otherwise, use the number 1.
    9. The SSL certificate has now been issued successfully and it's included in your Apache2 configuration. In the directory "/etc/letsencrypt/live/" there is a subdirectory for each domain. There you'll find all important files (SSL certificate, private key, etc.), if you need them.
  9. Method 2 - Request only the certificate file (without automatic web server configuration):
    1. Request the SSL certificate with the following command: certbot certonly --authenticator standalone. You can already specify the domains here using the parameter "-d". If you don't specify a domain using this parameter, you'll be interactively asked for the domains. If you, for example, already have an Apache2 web server, this must be stopped before you use this method, so that the web port can be used by the Certbot's web server. The Certbot can automatically stop the Apache2 web server before requesting the SSL certificate and then start it after the domain verification is done, if you append --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" to the command. So, if you'd like to request an SSL certificate for the domain testdomain.com as well as the subdomain www.testdomain.com and if you already have an Apache2 web server running, the command including all necessary information would be the following: certbot certonly --authenticator standalone -d testdomain.com -d www.testdomain.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
    2. If you run the Certbot command for the first time, you must register an Let's Encrypt account. Type in your e-mail address and confirm your input by pressing enter.
    3. When using Certbot for the first time, you must also hit the "A" key and press enter to confirm that you accept the license terms.
    4. Now you'll be asked - also only on the first use - if you'd like to sign up for a newsletter of the Electronic Frontier Foundation. If you want that, press the "Y" key, if not, use the "N" key. Then press enter again.
    5. If you haven't already specified any domains using the parameter "-d", then you'll be asked for the domains by the Certbot. Now enter the domain(s) for which you want to request an SSL certificate (comma separated).
    6. Note: If you've selected multiple domains for the SSL certificate request, only one certificate will be issued, which includes all the specified domains. The file name of this certificate is the domain name selected first.
    7. The SSL certificate has now been issued successfully and it's located in the directory "/etc/letsencrypt/live/". There is a subdirectory for each domain containing are all important files (SSL certificate, private key, etc.).
  10. Since the SSL certificates issued by Let's Encrypt only have a validity of 90 days, you must renew them regularly. This happens automatically when you execute the command certbot renew. However, it's recommended to create a cron job for this, so that the certificates are automatically renewed. The command of this cronjob (for example, daily or weekly at 0 o'clock) would be /usr/bin/certbot renew -q.