bg-tutorials

How to Install an ACME SSL Certificate on Apache & NGINX

Last updated on by Dionisie Gitlan

If you’re running a web server, securing it with HTTPS is a basic standard. Thanks to the ACME (Automated Certificate Management Environment) protocol, you can automate SSL certificate issuance and renewal through tools like Certbot.

ACME SSL on Apache and Nginx

In this guide, you’ll learn how to install an ACME certificate on Apache and NGINX using Certbot across different Linux distributions. We’ll cover Debian-based and RHEL-based systems, include clarifications where needed, and walk you through everything from installation to automated renewal.

Before You Begin

Before getting started, check that:

  • You have sudo or root access to your server
  • Your domain name points to your server’s public IP address via DNS
  • Ports 80 and 443 are open in your firewall or cloud provider security group
  • Your system is up to date and supported

Step 1 – Install Certbot on Your OS

Certbot is the ACME client we’ll use to request and renew SSL certificates. We’ll go through the setup instructions for each supported OS. Choose the one that matches your server.

Ubuntu LTS editions with APT

Update packages and install Certbot with your preferred web server plugin:

Apache:

sudo apt update
sudo apt install certbot python3-certbot-apache

NGINX:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Debian systems with APT support

Same process as Ubuntu:

sudo apt update
sudo apt install certbot python3-certbot-apache # for Apache
sudo apt install certbot python3-certbot-nginx # for NGINX

On Debian systems, installing Certbot via APT is the most straightforward option. If you prefer to use Snap (for the latest version), scroll down to the Snap section below.

AlmaLinux or Rocky Linux (RHEL-compatible)

Enable the EPEL repository first:

sudo dnf install epel-release
sudo dnf update

Then install Certbot with the plugin of your choice:

Apache:

sudo dnf install certbot python3-certbot-apache

NGINX:

sudo dnf install certbot python3-certbot-nginx

Alternative: Install Certbot via Snap (All Systems)

If you want the latest version directly from the source, use Snap.

1. Install Snap (if not already installed):

sudo apt install snapd # Ubuntu/Debian
sudo dnf install snapd # AlmaLinux/Rocky

2. Install and link Certbot:

sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Optional: Install Certbot with pip (for custom setups)

This method is intended for advanced users or custom environments where Snap or OS packages aren’t available. You should only use it if:

  • You’re running Certbot in a virtual environment
  • You’re working with minimal containers
  • Your OS doesn’t support snapd, apt, or dnf cleanly

To install Certbot using pip:

python3 -m pip install --upgrade certbot

This installs the core Certbot tool, but it won’t set up auto-renewal, and it doesn’t install Apache or NGINX plugins. You’ll need to configure everything manually

If you’re not sure what this means, go back and use the APT, DNF, or Snap instructions instead.

You can also install plugins (like the NGINX one) using pip:

python3 -m pip install certbot-nginx

Use pip only if your system environment requires full control or isolation.

Step 2 – Request and Install Your ACME Certificate

There are two main approaches: fully automated or provider-specific using EAB (External Account Binding) credentials. Both are covered below.

Option A: Fully Automated (Standard ACME)

Let Certbot handle everything — request, verify, install, and reload your server config.

Apache:

sudo certbot --apache

NGINX:

sudo certbot --nginx

You’ll be asked:

  • Which domain(s) to secure
  • Whether to redirect all HTTP traffic to HTTPS
  • Your email for renewal reminders

Certbot takes care of validation and web server configuration behind the scenes.

Option B: Use External ACME Provider (e.g., Sectigo) with EAB

If your provider requires External Account Binding, use this method:

sudo certbot --nginx \
--non-interactive \
--agree-tos \
--email [email protected] \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--domain example.com \
--domain www.example.com \
--cert-name my-website-cert

Replace --nginx with --apache for Apache setup.

You’ll get --eab-kid and --eab-hmac-key from your certificate provider when registering an ACME account.

Option C: Use Certbot in Manual Mode

If you don’t want Certbot to modify your web server configuration, or you’re using a custom setup, you can request a certificate manually.

Here’s how to do it using the webroot method:

sudo certbot certonly --webroot \
-w /var/www/html \
-d example.com \
-d www.example.com \
--email [email protected] \
--agree-tos \
--non-interactive

  • –certonly tells Certbot to issue the certificate but not install it
  • -w specifies the root directory for your website (must be publicly accessible over port 80)

After issuance, manually configure your web server with the certificate files located in:

/etc/letsencrypt/live/yourdomain.com/

Note: This path is used regardless of which ACME provider you choose, unless you override the storage directory using advanced flags (–config-dir, –work-dir).

Be sure to reload your web server after applying the cert paths to your config.

Step 3 – Check That Everything Works

Visit your domain in a browser. You should see the secure padlock or just the successful page load on Chrome. To double-check that the server is running:

sudo systemctl status apache2 # Debian/Ubuntu (Apache)
sudo systemctl status httpd # AlmaLinux/Rocky (Apache)
sudo systemctl status nginx # All systems (NGINX)

And to inspect the certificate from the terminal:

openssl s_client -connect yourdomain.com:443

Look for valid dates and your provider’s CA name in the output.

Step 4 – Set Up Automatic Renewal

The ACME protocol supports automatic certificate renewal, and Certbot is designed to handle this seamlessly through a built-in systemd timer or cron job. However, the renewal behavior depends on your certificate provider:

Free CAs (like Let’s Encrypt) issue certificates valid for 90 days and support frequent renewal checks.

Commercial CAs (like Sectigo or Digicert) often issue certificates valid for 1 year via ACME, but still follow the ACME renewal process. Certbot handles these automatically, too, just less frequently.

Check That Renewal Is Scheduled

Certbot sets up a system timer or cron job by default. You can confirm it’s active with:

systemctl list-timers | grep certbot

This ensures Certbot checks your certificates regularly (typically twice a day) and renews them only when they’re within the renewal window (usually 30 days before expiry).

Final Words

Certbot and the ACME protocol make SSL management simple. This guide gives you everything you need to install an ACME certificate on Apache and NGINX with automated renewal, clear validation, and full control when needed.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now
A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.

Tutorials