This guide will walk you through how to install an SSL certificate on your website using Certbot.
1. Connect the domain to the server
In order for an SSL certificate to be issued, the domain name must point to your server's IP address.
Find out your server's IP address:
hostname -I
Add DNS records for your domain (managed by your domain provider)
Wait for the DNS updates to propagate (usually 15–30 min, sometimes up to 24 h).
Check that the domain points to the server:
ping oma-domain.fiIf the response shows your server's IP address, everything is working.
1.1. Use your own DNS server (BIND)
If you want to manage DNS yourself, you can install and configure BIND as follows.
Install BIND.
AlmaLinux
sudo dnf update
sudo dnf install bind bind-utils
sudo systemctl enable --now namedUbuntu
sudo apt update
sudo apt install bind9 bind9-utils
sudo systemctl enable --now named
Create zone files
AlmaLinux
cd /var/named
sudo cp named.empty own-domain.com
sudo nano own-domain.com.zone
Ubuntu
cd /etc/bind
sudo cp db.local db.own-domain.com
sudo nano db.own-domain.com
For both, add to the file
$TTL 86400
@ IN SOA ns1.own-domain.com. admin.own-domain.com. (
2025103101 ; Serial (YYYYMMDDnn)
3600 ; Refresh
1800 ; Retry
1209600 ; Expire
86400 ) ; Minimum TTL
; Nameservers
@ IN NS ns1.own-domain.com.
; A records
@ IN A Server IP
www IN A Server IP
ns1 IN A Server IP
Register a zone with BIND
AlmaLinux
sudo nano /etc/named.rfc1912.zones
Add:
zone "own-domain.com" IN {
type master;
file "/var/named/own-domain.com.zone";
allow-update { none; };
};
Ubuntu
sudo nano /etc/bind/named.conf.local
Add:
zone "own-domain.com" {
type master;
file "/etc/bind/db.own-domain.com";
};
Check and load settings
Almalinux
sudo named-checkconf
sudo named-checkzone own-domain.com /var/named/own-domain.com
sudo systemctl reload named
Ubuntu
sudo named-checkconf
sudo named-checkzone own-domain.com /etc/bind/db.own-domain.com
sudo systemctl reload bind9
Open firewall ports
AlmaLinux
sudo dnf install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --reload
Ubuntu
sudo ufw enable
sudo ufw allow 53
sudo ufw reload
Configuring Bind
AlmaLinux
sudo nano /etc/named.conf
Ubuntu
sudo nano /etc/bind/named.conf.options
Add to the file under options
Almalinux
options {
directory "/var/named";
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { any; };
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-validation yes;
};
Ubuntu
options {
directory "/var/cache/bind";
listen-on-v6 { any; };
allow-query { any; };
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-validation yes;
};
Save and restart Bind
sudo named-checkconf
sudo systemctl restart named
sudo systemctl status named
Test DNS:
nslookup oma-domain.fi <Server IP>
2. Snapd download
If you are on Ubuntu, Snapd is pre-installed, but on AlmaLinux it is not, so you have to download it yourself.
Download the Epel repo.
sudo dnf install epel-release
Update the packages.
sudo dnf upgrade
Download Snapd.
sudo dnf install snapd
Turn on Snapd.
sudo systemctl enable --now snapd.socket
Create a symbolic link.
sudo ln -s /var/lib/snapd/snap /snap
Restart your server.
sudo reboot
3. Certbot download
Install Certbot.
sudo snap install --classic certbot
Make sure Certbot is working.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Download nginx.
sudo dnf install nginx
Get certification.
sudo certbot --nginxCertbot will ask for a few pieces of information:
-
Email address (for notifications and updates)
-
Accepting the Terms of Use
-
Your domain name
Once the process is complete, the SSL certificate will be automatically installed on your Nginx server.
To get the certificate to renew automatically you need to use this command
sudo certbot renew --dry-run
You can go to your page to see if SSL is working. You can see that it is working if your page has a lock in the address bar.
