Skip to main content

Chapter 12: Installing Certbot & Generating SSL Certificate

Sometimes, generating an SSL certificate can be challenging, especially on first attempts. This guide was fully tested on a Debian server, and here are a few helpful tips to avoid common issues and hours of troubleshooting:

  • Create an A record pointing to your server’s public IP address.
  • Certbot uses port 80 (HTTP) to validate your domain:
    • Make sure port 80 is open on your firewall.
    • If you’re using Oracle Cloud Infrastructure (OCI), go to Networking → Security Lists or Network Security Groups and allow inbound traffic on port 80.


Why SSL?

  • Encrypts traffic between users and your server
  • Gives credibility — no more “Not Secure” warning in browsers
  • Required for many web features and SEO


Step 1: Install Certbot on Debian

Run the following commands to install Certbot and its dependencies:

sudo apt update
sudo apt install certbot -y

If you're using Nginx or Apache, Certbot has plugins, but in this guide, we'll use the standalone method to generate the cert first.

Certbot uses port 80 (HTTP) to validate your domain. Make sure it’s open:

sudo ufw allow 80

Or if using Oracle’s security lists, allow inbound traffic on port 80 via the OCI Console under Networking > Security Lists or Network Security Groups.


Step 3: Run Certbot to Get the Certificate

Before running the Certbot command, make sure your domain points to your server's public IP address — otherwise, Let's Encrypt won’t be able to validate it!

Add an A Record in OCI DNS:

  • Name: @ or your root domain (e.g., hexacats.online)
  • Type: A
  • Value: Your server's public IP (from the OCI instance)

Repeat the same for www.yourdomain.com if you want it secured too.


Once your DNS is set up and propagated (you can check with whatsmydns.net), run Certbot:

sudo certbot certonly --standalone -d yourdomain.com

Replace yourdomain.com with your actual domain (e.g., hexacats.online)

Make sure no web server is running on port 80 during this process (e.g., stop Nginx temporarily if needed).

If you want to add multiple addresses, use the example below:

sudo certbot certonly --standalone -d hexacats.cloud -d www.hexacats.cloud -d root.hexacats.cloud -d sudo.hexacats.cloud--preferred-chain "ISRG Root X1"

Step 4: Where Are My Certificates?

Once successful, Certbot will output a message showing where your certs are:

  • Full chain:
    /etc/letsencrypt/live/yourdomain.com/fullchain.pem
  • Private key:
    /etc/letsencrypt/live/yourdomain.com/privkey.pem


No Comments
Back to top