Use Let’s Encrypt and Certbot to secure Raspberry PI-hosted websites automatically


Securing an existing website with Let’s Encrypt and Certbot is one of most common internet actions, as prodives free certification for your https pages and a fully automated renewal process working with Raspberry PI

In this post I will show you how to install and configure Certbot on Raspberry PI with Apache to get your Let’s Encrypt free certificates working and renewed without manual intervention. This can be useful to enhance secuity for your self hosted websites, like WordPress hosting on RPI, phpBB hosting on RPI or a simple LAMP server on RPI. Please remember that webpage published on internet need a public IP address (check my introduction to No-IP DUC installation).

Let’s Encrypt and Certbot are 2 different pieces on securing your website. While Let’s Encrypt works as Certification Authority. certbot works to issue and renew certificates automatically before their expiration. More details on how a certification process works can be found in my introduction to Self Signed Certificate tutorial.

What is Let’s Encrypt

Let’s Encrypt is a free Certification Authority provuded by the Internet Security Research Group (ISRG). It aims to give common people a free way to get and maintain certificates in order to enable HTTPS (SSL/TLS) for their websites. Anyone who owns a domain name (even free, second level domains) can use Let’s Encrypt to obtain a trusted certificate at zero cost. Let’s Encrypt also allows users to automate their service for most common web technologies, making painlessly all the process from obtaining a certificate, configuring it and renewing.
You can inspect issued/revoked certificates publicly, making this extremely transparent.

What is Certbot

Certbot is an open source tool which automates certificates administering using Let’s Encrypt. The Electronic Frontier Foundation (EFF) manages its cource code. Certbot requires that your website is already up and running, with port 80 open and SSH access with sudo priviledges (which are assured with a Raspberry PI self hosting installation).

This command line tool takes care to require a new certificate, install it and configure you most comon web servers (like apache or nginx) to secure you communication through http-to-https redirection.

In this tutorial I’ll use a Raspberry PI Zero W with Apache. Following steps also work with newer Raspberry PI computer boards.

What We Need

As usual, I suggest adding from now to your favourite e-commerce shopping cart all needed hardware, so that at the end you will be able to evaluate overall costs and decide if continue with the project or remove them from the shopping cart. So, hardware will be only:

Raspberry PI Zero W unpopulated

Check hardware prices with following links:

Amazon raspberry pi boards box
Amazon raspberry pi Zero W box
Amazon Micro SD box
Amazon Raspberry PI Power Supply box

Step-by-Step Procedure

Web Server and Domain Preparation

As said, we need a running web page. For this purpose, I will use a standard LAMP installation on Raspberry PI.

We als need that our server can be reached on port 80 (with proper router port forwarding). You also need to open/port forward port 443, as https protocol will use this port to work. Finally, we need a DNS domain name: using No-IP tutorial steps, I will use my free “” as test domain, where I will expose Apache default index page.

Not required, but I also changed my apache default index.html to get a more personalized index.html, with nano:

sudo nano /var/www/html/index.html

by editing following part:

<span class="floating_element"> Let's Encrypt tutorial<br>
   Apache2 Default Page

Finally, I assume that you updated the OS. Otherwise, please use following command from terminal:

sudo apt update -y && sudo apt upgrade -y

Once done, these preparation steps, you should have your webpage published on internet:

Raspberry PI certbot before installation

Please note the icon near URL, which indicates a not secure (https) web page:

Raspberry PI certbot before installation padlock icon

Installing Certbot and Let’s Encrypt Certificate

We can install certbot in 2 independent and different ways: with snap and directly from apt. The official one is with snapd

Installing Certbot with Snap (not for Raspbery PI Zero)

As certbot is installed via Snap Core and this one is available from armhf upward, this installation procedure can’t apply to Raspberry pi Zero W, but can be used with newer Raspberry PI computer boards (like RPI3 and RPI4).

Install snapd:

sudo apt install snapd

We need to reboot our RPI:

sudo reboot

Install snap core and update it:

sudo snap install core; sudo snap refresh core

If you have already installed certbot via apt, you need to remove it:

sudo apt remove certbot

Install Certbot:

sudo snap install --classic certbot

Make your certbot command line tool available from terminal, by linking its binary file from /usr/bin/:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Fomr here you can setup certbot for taking care of the whole certificate issuing and renewal process:

sudo certbot --apache

or you can use certbot only to generate a new certificate for your website (in /etc/letsencrypt folder):

sudo certbot certonly --apache

Beside browsing your web page with https, you can verify you certificate process with following terminal command:

sudo certbot renew --dry-run

Installing Certbot with Apt

For Raspberry PI Zero W users, snap core is unavailable. So we need to go with apt installation.

Beside certbot package, it is strongly suggested to install also python-certbot-apache package, as it automates certificate management:

sudo apt install certbot python-certbot-apache

If you use a web server different from apache, you can find specific python-certbot for your server with following terminal command:

apt search 'python-certbot*'

From here, you can start your certbot setup with following terminal command:

sudo certbot --apache

At setup rpocess, you will be asked of your email address:

pi@raspberrypi:~ $ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to

Enter your own email and press enter.

Then you must agree to Let’s Encrypt Terms of Service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at You must
agree in order to register with the ACME server at
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After reading these terms, if you accept then type “A” letter and press enter.

Next question asks if you want to receive email from EFF about their work:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Feel free to answer Y/N and press enter.

At this point, if no domain are still explicited in your apache sites configuration files, certbot procedure will ask you what domain name you want to use:

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel):

As you can see, you will use there the domain registered with No-IP (or your registrar) without http/https. In my case, I’m going to use my free “”. Setup process will then get certificate and configure apache for you. Last question asks if you want to automatically redirect http traffic to https:

btaining a new certificate
Performing the following challenges:
http-01 challenge for
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Unless you have content already up and specific condition which can be broken from this redirection, for all new websites and remaining cases it is suggested to use redirect (selecting option 2).

A final confirmation that everything worked is printed:

Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled

Back to your browser, a simple refresh will redirect your page to https:

Raspberry PI certbot secured

Please note your padlock icon near the URL field, which changed:

Raspberry PI certbot secured padlock icon


How useful was this post?

Click on a star to rate it anonymously!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?