How to Install Let’s Encrypt SSL on Ubuntu 26.04 LTS — Complete Certbot Guide (Nginx, Apache & Wildcard)

Every website served over plain HTTP is a liability. Browsers mark them as “Not Secure,” search engines rank them lower, and every byte of data transmitted — including login credentials and form submissions — travels unencrypted across every network hop between your server and your visitor. HTTPS is no longer optional.

Let’s Encrypt solves this without cost. It is a free, automated, and open Certificate Authority operated by the Internet Security Research Group (ISRG) that issues SSL/TLS certificates trusted by every major browser and operating system. As of 2026, Let’s Encrypt has issued over 4 billion certificates and is the most widely used CA on the web by volume.

This guide covers the complete installation of Let’s Encrypt SSL certificates on Ubuntu 26.04 LTS (Resolute Raccoon) using Certbot 4.0.0 — for Nginx, Apache, and standalone setups. It also covers wildcard certificates via DNS challenge, automatic renewal, SSL hardening, and troubleshooting. Every command is copy-ready.

📋 Tested and verified: Ubuntu 26.04 LTS (Resolute Raccoon) · Certbot 4.0.0 · OpenSSL 3.5.5 · Nginx 1.28.3 · Apache 2.4.62 — April/May 2026

How Let’s Encrypt Works

Let’s Encrypt uses the ACME protocol (Automatic Certificate Management Environment — RFC 8555) to automate the process of proving that you control a domain and issuing a certificate for it. Certbot is the official ACME client developed by the Electronic Frontier Foundation (EFF) that handles this automatically.

The certificate validation process works like this:

1. Certbot requests a certificate for your domain from Let’s Encrypt
2. Let’s Encrypt issues a challenge — either HTTP-01 (places a file on your web server that Let’s Encrypt then fetches) or DNS-01 (asks you to add a DNS TXT record)
3. Certbot completes the challenge automatically
4. Let’s Encrypt verifies the challenge and issues the certificate
5. Certbot installs the certificate and configures your web server

Certificate validity: Let’s Encrypt certificates are valid for 90 days. Certbot sets up automatic renewal and renews certificates when they have 30 days or fewer remaining — so in practice, certificates renew every 60 days.

Prerequisites

Before you begin, ensure you have:

• Ubuntu 26.04 LTS server with a public IP address
• A registered domain name with its A (and optionally AAAA) record pointing to your server’s IP
• A user with sudo privileges
• Nginx or Apache installed and running (for the web server plugins)
• Ports 80 (HTTP) and 443 (HTTPS) open — Let’s Encrypt’s HTTP-01 challenge requires port 80

Step 1 — Update the System

Always start with a full system update:

$ sudo apt update && sudo apt upgrade -y

Step 2 — Configure UFW Firewall

If you are using UFW (Ubuntu’s firewall), open ports 80 and 443. The Nginx Full and Apache Full UFW profiles open both ports at once:

For Nginx:

$ sudo ufw allow 'Nginx Full'

$ sudo ufw delete allow 'Nginx HTTP'

For Apache:

$ sudo ufw allow 'Apache Full'

$ sudo ufw delete allow 'Apache'

Or open ports directly:

$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp
$ sudo ufw reload

Verify the firewall status:

$ sudo ufw status

Step 3 — Install Certbot

There are two methods to install Certbot on Ubuntu 26.04. The APT method is recommended — it is tested, maintained in Ubuntu’s official repositories, and provides the correct plugin packages.

Method A — APT (Recommended for Ubuntu 26.04)

Install Certbot and the Nginx plugin:

$ sudo apt install -y certbot python3-certbot-nginx

Or if you are using Apache:

$ sudo apt install -y certbot python3-certbot-apache

Verify the installation:

$ certbot --version

Expected output: certbot 4.0.0

Method B — Snap (Alternative)

If you prefer the Snap version (always ships the latest Certbot release):

$ sudo apt install -y snapd
$ sudo snap install core
$ sudo snap refresh core
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Both methods produce the same certbot command. If you install via Snap, use certbot-nginx and certbot-apache as Snap plugins rather than the APT Python packages.

Step 4A — Obtain a Certificate for Nginx

This is the most common setup. The Nginx plugin modifies your server block configuration, obtains the certificate, and sets up the HTTPS listener automatically.

Preflight check — verify Nginx is running

$ sudo systemctl status nginx

Confirm your domain’s server block exists and has the correct server_name:

$ sudo nginx -t

Obtain and install the certificate

Replace yourdomain.com and www.yourdomain.com with your actual domain:

$ sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot will prompt you for:

1. Email address — used for renewal failure alerts and urgent notices from Let’s Encrypt
2. Terms of Service — type A to agree
3. Newsletter subscription — optional (N to skip)
4. Redirect HTTP to HTTPS — enter 2 to enable the redirect (strongly recommended)

Certbot will then:

• Obtain the certificate from Let’s Encrypt
• Update your Nginx server block to include the SSL configuration
• Add an HTTP→HTTPS redirect
• Reload Nginx automatically

When complete, you will see: “Congratulations! You have successfully enabled HTTPS on https://yourdomain.com”

View what Certbot added to your Nginx config

$ sudo cat /etc/nginx/sites-available/yourdomain.com

Step 4B — Obtain a Certificate for Apache

The Apache plugin works identically to the Nginx plugin — it modifies your VirtualHost configuration and handles the SSL setup automatically.

Preflight check — verify Apache is running

$ sudo systemctl status apache2

$ sudo apache2ctl configtest

Enable required Apache modules

$ sudo a2enmod ssl
$ sudo a2enmod rewrite
$ sudo systemctl restart apache2

Obtain and install the certificate

$ sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

As with Nginx, Certbot will handle domain verification, certificate issuance, VirtualHost modification, and enabling the HTTPS→HTTP redirect. Answer the interactive prompts the same way.

Step 4C — Standalone Mode (No Web Server)

If you do not have a web server running (e.g., you are securing a custom application or an API), use standalone mode. Certbot runs its own temporary web server on port 80 to complete the challenge:

$ sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com

The certonly flag obtains the certificate without modifying any web server configuration — you install it manually into your application. Certificates are stored in /etc/letsencrypt/live/yourdomain.com/.

If your web server is running on port 80, stop it first:

$ sudo systemctl stop nginx   # or apache2

Then run Certbot standalone, then restart your web server:

$ sudo systemctl start nginx

Step 5 — Multiple Domains on One Certificate (SAN)

You can include multiple domains in a single certificate by passing multiple -d flags. This is called a Subject Alternative Name (SAN) certificate:

$ sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com -d blog.yourdomain.com

All domains on the same certificate must be controlled by the same server. Let’s Encrypt allows up to 100 domain names per certificate.

Step 6 — Wildcard Certificates (DNS-01 Challenge)

A wildcard certificate covers all subdomains of a domain (*.yourdomain.com). This is useful when you have many subdomains or create them dynamically. Wildcard certificates require the DNS-01 challenge — you prove ownership by adding a TXT record to your DNS, not via HTTP.

Manual DNS challenge (any DNS provider)

$ sudo certbot certonly --manual --preferred-challenges dns   -d yourdomain.com -d '*.yourdomain.com'

Certbot will display a TXT record to add:

Please deploy a DNS TXT record under the name:
_acme-challenge.yourdomain.com

with the following value:
abc123XYZ_example_challenge_value

Once this is deployed, press Enter to continue.

Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, etc.), add the TXT record, wait for DNS propagation (usually 30–120 seconds), then press Enter. Certbot verifies and issues the wildcard certificate.

Automated DNS challenge (Cloudflare example)

For fully automated wildcard renewals, use a Certbot DNS plugin. For Cloudflare:

$ sudo apt install -y python3-certbot-dns-cloudflare

Create the credentials file:

$ sudo mkdir -p /etc/letsencrypt/credentials
$ sudo nano /etc/letsencrypt/credentials/cloudflare.ini

Add your Cloudflare API token:

dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_HERE

Secure the credentials file:

$ sudo chmod 600 /etc/letsencrypt/credentials/cloudflare.ini

Obtain the wildcard certificate:

$ sudo certbot certonly --dns-cloudflare   --dns-cloudflare-credentials /etc/letsencrypt/credentials/cloudflare.ini   -d yourdomain.com -d '*.yourdomain.com'

This method renews fully automatically — no manual intervention required.

Step 7 — Verify the Certificate

Check that the certificate was issued correctly:

$ sudo certbot certificates

You will see output similar to:

Found the following certs:
  Certificate Name: yourdomain.com
    Domains: yourdomain.com www.yourdomain.com
    Expiry Date: 2026-08-22 11:30:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/yourdomain.com/privkey.pem

Test the HTTPS connection from the command line:

$ curl -I https://yourdomain.com

Expected: HTTP/2 200 response with server: nginx (or apache).

Check certificate details:

$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>&1 | openssl x509 -noout -dates

Step 8 — Automatic Renewal

Certbot configures a systemd timer on Ubuntu 26.04 that checks for expiring certificates twice daily and renews any that will expire within 30 days. This is set up automatically during installation.

Check renewal timer status

$ sudo systemctl status certbot.timer

You should see active (waiting) with a next trigger time.

Test the renewal process (dry run)

Always test renewal before the actual renewal deadline:

$ sudo certbot renew --dry-run

A successful dry run ends with: “Congratulations, all simulated renewals succeeded.” If this passes, your automatic renewals will work.

Force renew a certificate immediately

$ sudo certbot renew --force-renewal

Configure a post-renewal hook (reload web server after renewal)

Certbot renews certificates but does not reload your web server by default when using certonly. Create a post-renewal hook:

$ sudo nano /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh

Add this content:

#!/bin/bash
systemctl reload nginx

Make it executable:

$ sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh

For Apache, replace nginx with apache2 in the script.

Step 9 — Certificate File Locations

Certbot stores all certificates in /etc/letsencrypt/. The live directory contains symlinks pointing to the current certificate:

$ sudo ls -la /etc/letsencrypt/live/yourdomain.com/

The four key files and what they are used for:

Step 10 — SSL Hardening

A Let’s Encrypt certificate gives you HTTPS. SSL hardening gives you HTTPS that scores A+ on SSL Labs. Here is the recommended hardening configuration for Nginx on Ubuntu 26.04:

Create a shared SSL parameters file

$ sudo nano /etc/nginx/snippets/ssl-params.conf

Add the following:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# HSTS - tells browsers to only connect via HTTPS for 1 year
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# Security headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Include this file in your Nginx server block:

$ sudo nano /etc/nginx/sites-available/yourdomain.com

Add inside your HTTPS server block:

include snippets/ssl-params.conf;

Test and reload Nginx:

$ sudo nginx -t && sudo systemctl reload nginx

Generate a Diffie-Hellman parameter (optional, extra security)

$ sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

This takes several minutes. Add to ssl-params.conf:

ssl_dhparam /etc/nginx/dhparam.pem;

Step 11 — Test Your SSL Rating

Test your HTTPS configuration from the command line:

$ curl -I https://yourdomain.com

Check for the Strict-Transport-Security header:

$ curl -sI https://yourdomain.com | grep -i strict

Verify the certificate expiry date:

$ echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -enddate

Check OCSP stapling is working:

$ echo | openssl s_client -connect yourdomain.com:443 -status 2>/dev/null | grep -A 17 'OCSP response:'

Essential Certbot Commands Reference

# List all certificates managed by Certbot
$ sudo certbot certificates

# Test renewal (no changes made)
$ sudo certbot renew --dry-run

# Force renew all certificates immediately
$ sudo certbot renew --force-renewal

# Renew a specific certificate only
$ sudo certbot renew --cert-name yourdomain.com

# Revoke and delete a certificate
$ sudo certbot revoke --cert-path /etc/letsencrypt/live/yourdomain.com/cert.pem
$ sudo certbot delete --cert-name yourdomain.com

# Expand an existing certificate to add more domains
$ sudo certbot --nginx --expand -d yourdomain.com -d newsubdomain.yourdomain.com

# Check Certbot renewal timer
$ sudo systemctl status certbot.timer

# View Certbot logs
$ sudo tail -n 50 /var/log/letsencrypt/letsencrypt.log

Troubleshooting Common Issues

Error: “Connection refused” or “Timeout during connect”

Let’s Encrypt cannot reach your server on port 80. Check:

# Confirm port 80 is open in UFW
$ sudo ufw status | grep 80

# Confirm Nginx or Apache is listening on port 80
$ sudo ss -tlnp | grep ':80'

# Test from outside your server (replace with your domain)
$ curl -I http://yourdomain.com

Error: “DNS problem: NXDOMAIN looking up A for yourdomain.com”

Your domain’s DNS is not pointing to this server yet. Verify:

$ dig +short yourdomain.com
$ dig +short www.yourdomain.com

Both should return your server’s public IP. If they return nothing or a different IP, update your DNS records and wait for propagation before retrying.

Error: “Too many requests” / Rate limit hit

Let’s Encrypt enforces rate limits: 50 certificates per registered domain per week, and 5 failed validation attempts per domain per hour. Use the staging environment for testing:

$ sudo certbot --nginx --staging -d yourdomain.com -d www.yourdomain.com

Staging certificates are not browser-trusted but do not count against rate limits. Test your setup with --staging first, then run without it for the real certificate.

Certificate renewed but site still shows old certificate

Your web server is caching the old certificate. Reload it:

# Nginx
$ sudo systemctl reload nginx

# Apache
$ sudo systemctl reload apache2

Certbot renewal timer not active

$ sudo systemctl enable certbot.timer
$ sudo systemctl start certbot.timer
$ sudo systemctl status certbot.timer

View detailed Certbot error logs

$ sudo cat /var/log/letsencrypt/letsencrypt.log | tail -100

Check which domains are on a certificate

$ sudo openssl x509 -noout -text -in /etc/letsencrypt/live/yourdomain.com/cert.pem | grep -A 1 "Subject Alternative Name"

Uninstalling Certbot and Removing Certificates

If you ever need to fully remove Certbot and all certificates:

# Revoke the certificate first (optional but good practice)
$ sudo certbot revoke --cert-path /etc/letsencrypt/live/yourdomain.com/cert.pem

# Delete the certificate files
$ sudo certbot delete --cert-name yourdomain.com

# Remove Certbot (APT method)
$ sudo apt remove --purge certbot python3-certbot-nginx python3-certbot-apache

# Remove all Let's Encrypt data
$ sudo rm -rf /etc/letsencrypt /var/log/letsencrypt

Conclusion

You now have a fully automated, free SSL certificate from Let’s Encrypt running on Ubuntu 26.04 LTS — installed via Certbot 4.0.0, automatically renewing every 60 days via a systemd timer, and hardened with TLS 1.3, HSTS, OCSP stapling, and modern cipher suites.

The combination of Let’s Encrypt and Certbot has made free, browser-trusted HTTPS a five-minute setup task rather than an annual expense. With automatic renewal and the post-renewal hook in place, your SSL certificate will stay valid indefinitely without any manual intervention.

Keep Certbot updated alongside your system updates (sudo apt update && sudo apt upgrade) and run certbot renew --dry-run periodically to confirm renewals will succeed before the actual deadline.