1. Home
  2. SSL Certificate Support
  3. ACME Automation
  4. How to Install an ACME SSL Certificate on Apache or NGINX (Linux)

How to Install an ACME SSL Certificate on Apache or NGINX (Linux)

The following instructions will guide you through installing an ACME-enabled SSL certificate on an Apache or NGINX web server running on Linux. This guide uses Certbot, the most popular ACME client, which can automatically obtain and install certificates and configure your web server.

After you complete the initial setup, your SSL certificate should be hands-free: renewals and updates happen automatically without you needing to worry about it.

Note: Certbot requires a supported, up-to-date operating system with the necessary dependencies. Using an outdated OS may result in installation errors. Root or sudo access is required for all installation steps.

What You’ll Need

Before you begin, make sure you have the following:

  • Apache or NGINX Web Server – Installed and running on your Linux server.
  • Root or Sudo Access – Administrative privileges on your server.
  • Domain Name – Pointing to your server’s IP address via DNS A/AAAA record.
  • ACME Credentials – Your EAB Key ID (eab-kid) and EAB HMAC Key (eab-hmac-key) from your Certificate Authority.
  • ACME Server URL – The ACME directory URL provided by your CA (e.g., https://acme.sectigo.com/v2/DV).

Step 1: Install Certbot

Tip: you can run certbot –version to see if certbot is already installed on your server.

Certbot is the recommended ACME client for Apache and NGINX. Installation steps vary by operating system and web server. Select your OS family below, then choose one of the available installation methods.

For Debian/Ubuntu Systems

The following instructions apply to Debian, Ubuntu, Linux Mint, and other Debian-based distributions. Choose Option A or Option B below—you only need to complete one.

Option A: Install via apt

The apt package manager provides a straightforward installation that integrates with your system’s package management. This method may not always provide the latest version of Certbot.

  1. Update your package list:

sudo apt update

  1. Install Certbot with the appropriate plugin for your web server:

For Apache:

sudo apt install certbot python3-certbot-apache

For NGINX:

sudo apt install certbot python3-certbot-nginx

The Certbot developers recommend installation via snap, as it provides automatic updates and always delivers the latest version. This method installs Certbot with support for both Apache and NGINX.

  1. Ensure snapd is installed and up to date:

sudo snap install core
sudo snap refresh core

  1. Install Certbot:

sudo snap install --classic certbot

  1. Create a symbolic link so you can run Certbot from anywhere:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

For Red Hat/CentOS/Fedora Systems

The following instructions apply to Red Hat Enterprise Linux (RHEL), CentOS, Fedora, Rocky Linux, AlmaLinux, and other RHEL-based distributions. Choose Option A or Option B below—you only need to complete one.

Option A: Install via dnf or yum

This method uses your system’s native package manager. You’ll need to enable the EPEL (Extra Packages for Enterprise Linux) repository first.

  1. Enable the EPEL repository:

sudo dnf install epel-release
OR
sudo yum install epel-release

  1. Refresh the repository list:

sudo dnf clean all
sudo dnf update
OR
sudo yum clean all
sudo yum update

  1. Install Certbot with the appropriate plugin for your web server:

For Apache:

sudo dnf install certbot python3-certbot-apache
OR
sudo yum install certbot python-certbot-apache

For NGINX:

sudo dnf install certbot python3-certbot-nginx
OR
sudo yum install certbot python-certbot-nginx

The Certbot developers recommend installation via snap, as it provides automatic updates and always delivers the latest version. This method installs Certbot with support for both Apache and NGINX.

  1. Ensure snapd is installed and up to date:

sudo snap install core
sudo snap refresh core

  1. Install Certbot:

sudo snap install --classic certbot

  1. Create a symbolic link so you can run Certbot from anywhere:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2: Obtain and Install Your Certificate

With Certbot installed, you can now request your SSL certificate. Certbot’s automatic mode will obtain the certificate, configure your web server, and set up automatic renewal—all in a single command.

Run the appropriate command for your web server, replacing the placeholder values with your own:

For Apache:

sudo certbot --apache --non-interactive --agree-tos \
  --server <acme-directory> \
  --email <your-email> \
  --eab-kid <your-eab-kid> \
  --eab-hmac-key <your-hmac-key> \
  --domain <your-domain> \ 
  --cert-name <your-certificate-name>

For NGINX:

sudo certbot --nginx --non-interactive --agree-tos \
  --server <acme-directory> \
  --email <your-email> \
  --eab-kid <your-eab-kid> \
  --eab-hmac-key <your-hmac-key> \
  --domain <your-domain> \ 
  --cert-name <your-certificate-name>

Command Parameters

  • –apache / –nginx – Specifies your web server for automatic configuration.
  • –non-interactive – Runs without prompts, suitable for scripts and automation.
  • –agree-tos – Automatically accepts the terms of service.
  • –server – The ACME directory URL provided by your CA (e.g., https://acme.sectigo.com/v2/DV).
  • –email – Your email address for certificate expiration notifications.
  • –eab-kid – Your External Account Binding Key ID from your CA.
  • –eab-hmac-key – Your EAB HMAC Key from your CA.
  • –domain – The domain(s) to secure. Use multiple –domain flags for additional domains.
  • –cert-name – A friendly name to identify this certificate on your system.

Example Command

Here is a complete example for Apache using a Sectigo ACME server:

sudo certbot --apache --non-interactive --agree-tos \
  --email admin@example.com \
  --server https://acme.sectigo.com/v2/DV \
  --eab-kid abc123yourEabKid \
  --eab-hmac-key xyz789yourHmacKey \
  --domain example.com \
  --domain www.example.com \ 
  --cert-name my-example-certificate

Tip: For NGINX, simply change –apache to –nginx in the command above. To secure multiple domains with a single certificate, include a separate –domain flag for each domain.

Step 3: Verify the Installation

After the command completes successfully, verify that your certificate is installed and working:

  • Visit https://yourdomain.com in your browser and confirm the padlock icon appears.
  • Check that the certificate details show the correct domain and expiration date.
  • Use our SSL Checker Tool for a comprehensive verification of your installation.

Certbot automatically configures a cron job or systemd timer to renew your certificate before it expires. No additional configuration is required for automatic renewal.

Congratulations! You have successfully installed your ACME SSL certificate. Your certificate will renew automatically, ensuring uninterrupted HTTPS protection.

Additional Resources

If you encounter any issues during the installation process or need further assistance, please contact our Customer Experience Department for support.

Updated on
Was this article helpful?

Related Articles