Instal Sertifikat SSL Gratis Let's Encrypt di Ubuntu dengan Certbot

Let’s Encrypt is a free, automated Certificate Authority that provides trusted TLS/SSL certificates to enable secure HTTPS connections. This improves website security, SEO, and user trust while eliminating browser warnings.

Certbot (from the Electronic Frontier Foundation) is the most popular tool for obtaining and automatically renewing Let’s Encrypt certificates on Linux servers.

This guide is tailored for unmanaged Ubuntu servers (including InMotion Hosting VPS, Cloud, and Dedicated). It covers installation methods suitable for InMotion environments, certificate issuance for Apache or NGINX, automatic renewal, and additional hardening steps.

Applies to: Ubuntu 20.04, 22.04, and 24.04 LTS

Prerequisites

Before starting:

• A running Ubuntu server with root or sudo access via SSH.
• A registered domain name with A/AAAA records pointing to your server’s public IP.
• Your web server (Apache or NGINX) installed and running.
• Ports 80 (HTTP) and 443 (HTTPS) open in your firewall (e.g., UFW) and any hosting provider security groups. Certbot uses HTTP-01 validation by default, which requires port 80.

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload

• (Optional but recommended) A non-root user with sudo privileges for daily operations.

Important Note for InMotion Cloud VPS Servers: Snapd (the recommended installation method by Certbot) is currently incompatible. Use the APT or PIP methods below instead. Dedicated servers may support Snapd.

How to Install Let’s Encrypt on Ubuntu with Certbot

Step 1: Update Your System

Always start with a fresh package index:

sudo apt update && sudo apt upgrade -y

Step 2: Install Certbot

Choose the method best for your environment.

Recommended for Most InMotion Users: APT Method (Ubuntu 20.04+)

This uses Ubuntu’s repositories and works reliably on InMotion’s Cloud VPS and Dedicated Servers.

For Apache:

sudo apt install certbot python3-certbot-apache -y

For NGINX:

sudo apt install certbot python3-certbot-nginx -y

Alternative: PIP Method (Virtual Environment – Good for Isolation on Cloud Servers)

If APT packages are outdated or you prefer isolation:

sudo apt install python3 python3-venv libaugeas0 -y

sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-apache   # or certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Snap Method (Dedicated Servers Only – Official Recommended)

sudo apt install snapd -y
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Tip: After installation, verify with certbot --version. The latest Certbot (as of 2026) supports modern ACME protocols and improved renewal handling.

Step 3: Obtain and Install Your SSL Certificate

Run Certbot with the appropriate plugin. It will:

• Verify domain ownership (via HTTP challenge).
• Obtain the certificate.
• (Optional) Automatically configure your web server for HTTPS and set up an HTTP-to-HTTPS redirect.

For Apache

sudo certbot --apache -d example.com -d www.example.com

For Nginx

sudo certbot --nginx -d example.com -d www.example.com

Alternatives

• Specific domains only: Always specify -d flags for precision (especially if using the system hostname).
• Cert-only mode (no automatic config changes – useful for custom setups or staging):

sudo certbot certonly --apache -d example.com -d www.example.com

or --nginx.

During the interactive prompts:

1. Enter your email (for renewal notices and security alerts from Let’s Encrypt).
2. Agree to the Let’s Encrypt Terms of Service.
3. (Optional) Share your email with EFF.
4. Choose redirect option: 2 (Redirect all HTTP traffic to HTTPS) is recommended for most production sites.

Wildcard Certificates (for *.example.com): Use DNS-01 validation with a plugin (e.g., certbot-dns-cloudflare). This requires DNS provider API credentials and is more complex—see official Certbot docs for details.

Step 4: Verify Installation

• Certificates are stored in /etc/letsencrypt/live/example.com/ (fullchain.pem and privkey.pem).
• Test your site: Visit https://yourdomain.com and check the padlock.
• Use external validators:
• Check configuration:

sudo certbot certificates

Automatic SSL Renewal

Let’s Encrypt certificates are valid for 90 days. Certbot sets up automatic renewal (via systemd timer or cron) that runs twice daily and renews certificates expiring within 30 days.

systemctl status certbot.timer    # or cat /etc/cron.d/certbot

• Test renewal (dry-run – safe, no actual changes):

sudo certbot renew --dry-run

Post-renewal hook example (if needed for service reload): Add to renewal command or use --deploy-hook "systemctl reload apache2" (or nginx).

Security Hardening Recommendations

An SSL certificate + redirect is a great start, but add these for better protection:

1. Enable HTTP Strict Transport Security (HSTS)

This tells browsers to only connect via HTTPS and prevents downgrade attacks.

For Apache (add to your VirtualHost):

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

For NGINX (in server block):

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Reload your web server after changes.

2. Additional Best Practices

• Disable old TLS versions (1.0/1.1) in your web server config.
• Use strong ciphers and modern protocols (Certbot usually handles this well).
• Regularly monitor with sudo certbot renew --dry-run.
• Backup /etc/letsencrypt/ (contains private keys – keep secure and restrict permissions: chmod 600 on keys).
• For production: Consider DNS validation for automated wildcards if HTTP-01 isn’t feasible (e.g., behind load balancers).

Troubleshooting Common Issues

• “No matching server block” or validation failures: Ensure domain points to the correct server IP and port 80 is open/accessible.
• Connection reset / timeout: Firewall blocking port 80, or ModSecurity rules interfering (temporarily disable if needed).
• Permission or snap issues on InMotion Cloud: Stick to APT/PIP methods.
• Renewal fails: Run the dry-run command and check logs in /var/log/letsencrypt/.
• Mixed content warnings: Update all internal links/resources to https:// or relative URLs.
• Apache/NGINX not reloading after renewal: Add a deploy hook.

If issues persist, check the official documentation for Certbot and Let’s Encrypt, or contact InMotion support.

Conclusion

Following these steps gives you a free, auto-renewing Let’s Encrypt SSL certificate with proper HTTPS redirection. Your site will be more secure and perform better in search rankings.

For managed hosting options or assistance, InMotion provides premium support.