The following instructions will guide you through installing an ACME-enabled SSL certificate on an Apache or NGINX web server running on Linux. This guide uses Certbot, the most popular ACME client, which can automatically obtain and install certificates and configure your web server.
After you complete the initial setup, your SSL certificate should be hands-free: renewals and updates happen automatically without you needing to worry about it.
Note: Certbot requires a supported, up-to-date operating system with the necessary dependencies. Using an outdated OS may result in installation errors. Root or sudo access is required for all installation steps.
What You’ll Need
Before you begin, make sure you have the following:
- Apache or NGINX Web Server – Installed and running on your Linux server.
- Root or Sudo Access – Administrative privileges on your server.
- Domain Name – Pointing to your server’s IP address via DNS A/AAAA record.
- ACME Credentials – Your EAB Key ID (eab-kid) and EAB HMAC Key (eab-hmac-key) from your Certificate Authority.
- ACME Server URL – The ACME directory URL provided by your CA (e.g., https://acme.sectigo.com/v2/DV).
Step 1: Install Certbot
Tip: you can run certbot –version to see if certbot is already installed on your server.
Certbot is the recommended ACME client for Apache and NGINX. Installation steps vary by operating system and web server. Select your OS family below, then choose one of the available installation methods.
For Debian/Ubuntu Systems
The following instructions apply to Debian, Ubuntu, Linux Mint, and other Debian-based distributions. Choose Option A or Option B below—you only need to complete one.
Option A: Install via apt
The apt package manager provides a straightforward installation that integrates with your system’s package management. This method may not always provide the latest version of Certbot.
- Update your package list:
sudo apt update
- Install Certbot with the appropriate plugin for your web server:
For Apache:
sudo apt install certbot python3-certbot-apache
For NGINX:
sudo apt install certbot python3-certbot-nginx
Option B: Install via snap (Recommended)
The Certbot developers recommend installation via snap, as it provides automatic updates and always delivers the latest version. This method installs Certbot with support for both Apache and NGINX.
- Ensure snapd is installed and up to date:
sudo snap install core
sudo snap refresh core
- Install Certbot:
sudo snap install --classic certbot
- Create a symbolic link so you can run Certbot from anywhere:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
For Red Hat/CentOS/Fedora Systems
The following instructions apply to Red Hat Enterprise Linux (RHEL), CentOS, Fedora, Rocky Linux, AlmaLinux, and other RHEL-based distributions. Choose Option A or Option B below—you only need to complete one.
Option A: Install via dnf or yum
This method uses your system’s native package manager. You’ll need to enable the EPEL (Extra Packages for Enterprise Linux) repository first.
- Enable the EPEL repository:
sudo dnf install epel-release
OR
sudo yum install epel-release
- Refresh the repository list:
sudo dnf clean all
sudo dnf update
OR
sudo yum clean all
sudo yum update
- Install Certbot with the appropriate plugin for your web server:
For Apache:
sudo dnf install certbot python3-certbot-apache
OR
sudo yum install certbot python-certbot-apache
For NGINX:
sudo dnf install certbot python3-certbot-nginx
OR
sudo yum install certbot python-certbot-nginx
Option B: Install via snap (Recommended)
The Certbot developers recommend installation via snap, as it provides automatic updates and always delivers the latest version. This method installs Certbot with support for both Apache and NGINX.
- Ensure snapd is installed and up to date:
sudo snap install core
sudo snap refresh core
- Install Certbot:
sudo snap install --classic certbot
- Create a symbolic link so you can run Certbot from anywhere:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Step 2: Obtain and Install Your Certificate
With Certbot installed, you can now request your SSL certificate. Certbot’s automatic mode will obtain the certificate, configure your web server, and set up automatic renewal—all in a single command.
Run the appropriate command for your web server, replacing the placeholder values with your own:
For Apache:
sudo certbot --apache --non-interactive --agree-tos \
--server <acme-directory> \
--email <your-email> \
--eab-kid <your-eab-kid> \
--eab-hmac-key <your-hmac-key> \
--domain <your-domain> \
--cert-name <your-certificate-name>
For NGINX:
sudo certbot --nginx --non-interactive --agree-tos \
--server <acme-directory> \
--email <your-email> \
--eab-kid <your-eab-kid> \
--eab-hmac-key <your-hmac-key> \
--domain <your-domain> \
--cert-name <your-certificate-name>
Command Parameters
- –apache / –nginx – Specifies your web server for automatic configuration.
- –non-interactive – Runs without prompts, suitable for scripts and automation.
- –agree-tos – Automatically accepts the terms of service.
- –server – The ACME directory URL provided by your CA (e.g., https://acme.sectigo.com/v2/DV).
- –email – Your email address for certificate expiration notifications.
- –eab-kid – Your External Account Binding Key ID from your CA.
- –eab-hmac-key – Your EAB HMAC Key from your CA.
- –domain – The domain(s) to secure. Use multiple –domain flags for additional domains.
- –cert-name – A friendly name to identify this certificate on your system.
Example Command
Here is a complete example for Apache using a Sectigo ACME server:
sudo certbot --apache --non-interactive --agree-tos \
--email admin@example.com \
--server https://acme.sectigo.com/v2/DV \
--eab-kid abc123yourEabKid \
--eab-hmac-key xyz789yourHmacKey \
--domain example.com \
--domain www.example.com \
--cert-name my-example-certificate
Tip: For NGINX, simply change –apache to –nginx in the command above. To secure multiple domains with a single certificate, include a separate –domain flag for each domain.
Step 3: Verify the Installation
After the command completes successfully, verify that your certificate is installed and working:
- Visit https://yourdomain.com in your browser and confirm the padlock icon appears.
- Check that the certificate details show the correct domain and expiration date.
- Use our SSL Checker Tool for a comprehensive verification of your installation.
Certbot automatically configures a cron job or systemd timer to renew your certificate before it expires. No additional configuration is required for automatic renewal.
Congratulations! You have successfully installed your ACME SSL certificate. Your certificate will renew automatically, ensuring uninterrupted HTTPS protection.
Additional Resources
If you encounter any issues during the installation process or need further assistance, please contact our Customer Experience Department for support.