How to Encrypt a Site Hosted on a Raspberry Pi with Certbot

Last Updated on April 12, 2023 by Freddy Reyes

The instructions below will guide you through encrypting a site hosted on a Raspberry Pi.

To create a valid certificate for your website, you will need the “Certbot” software. Install the Certbot module for Apache if you’re using it; otherwise, install the standard version of Certbot.

Creating a New Certificate:

For Apache:

sudo apt-get install python-certbot-apache

For Everything Else:

sudo apt-get install certbot

Once Certbot is installed, you can obtain an SSL certificate for your Raspberry Pi from Let’s Encrypt. There are several methods for doing this.

For those using Apache, the simplest way to obtain a certificate is by running the command below. This will automatically acquire and install the certificate in Apache’s configuration. First, ensure that ports 443 and 80 are open (not blocked by your ISP), then run:

certbot --apache

If you are not running Apache, there are two ways to obtain a certificate from Let’s Encrypt using Certbot: by using a standalone Python server or web root.

To use the standalone built-in web server, ensure that port 80 is unblocked and forwarded. Replace example.com with your intended domain name:

certbot certonly --standalone -d example.com -d www.example.com

Using web root requires more knowledge than the built-in web server. Make sure /var/www/example points to a working website directory accessible from the internet. Replace example.com with your domain name:

certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

After running these commands, you will be prompted to enter details such as your email address. Let’s Encrypt requires this information to track the certificates it provides and to contact you if any issues arise with the certificate.

Upon providing the necessary information, the certificate will be obtained from Let’s Encrypt.

If you encounter any problems, ensure you have a valid domain name pointing at your IP address, ports 80 and 443 are unblocked, and, if using CloudFlare as your DNS provider, set it to bypass its servers.

The certificates obtained by the Certbot client will be stored in the following folder, replacing example.com with your domain name:

/etc/letsencrypt/live/example.com/

Within these folders, you will find the full chain file (fullchain.pem) and the certificate’s private key file (privkey.pem). Ensure that others cannot access these files, as they secure your SSL connection and confirm its legitimacy.

How to Renew Your Certificate

Open ports 80 and 443 (see above).

Run the following command:

certbot

This will renew your certificate for an additional 90 days.