Set up LetsEncrypt (certbot) certificates

To get a certificate from LetsEncrypt, set up your domain and point it to your server's IP address.

Install certbot:

apt install certbot

To launch a guided process, run:

certbot

or

certbot certonly

However, the disadvantage of guided process is that it tries to server a challenge response on port 80, which conflicts with running web server.

There are two ways that I know of to avoid this.

1. Specify the web root directory (the default pn Debian is "/var/www"). Since you are probably running this command as root, there should be no issues.

certbot certonly --webroot -w /path/to/webroot

2. DNS challenge. Instead of placing files in the web directory or starting a web server, certbot can check your DNS for a unique TXT record. This requires additional setup on the DNS, which the prompt will instruct.

certbot certonly --manual --preferred-challenges=dns -d "mydomain.org"

Certificates are stored in

/etc/letsencrypt/live/mydomain.org/

Another common issue is that the created certificates are not be accessible to all users (especially if you run services as non-root users). Debian has a default group called "ssl-cert" specifically for certificates.

Add the user (service-user) to the ssl-cert group:

usermod -aG ssl-cert service-user

Make the LetsEncrypt directory accessible to the ssl-cert group:

chgrp -R ssl-cert /etc/letsencrypt
chmod -R g=rx /etc/letsencrypt

This might need to get re-applied after each certificate refresh.