The following instructions will guide you through installing an ACME-enabled Certificate-as-a-Service certificate on an Apache or NGINX web server running on Linux. This guide uses Certbot, the most popular ACME client, which can automatically obtain and install certificates and configure your web server.

After you complete the initial setup, your SSL certificate should be hands-free: renewals and updates happen automatically without you needing to worry about it.

Note: Certbot requires a supported, up-to-date operating system with the necessary dependencies. Using an outdated OS may result in installation errors. Root or sudo access is required for all installation steps.

What You’ll Need

Before you begin, make sure you have the following:

  • Apache or NGINX Web Server – Installed and running on your Linux server.
  • Root or Sudo Access – Administrative privileges on your server.
  • Domain Name – Pointing to your server’s IP address via DNS A/AAAA record.
  • ACME Credentials – Your EAB Key ID (eab-kid) and EAB HMAC Key (eab-hmac-key) from your Certificate Order.
  • ACME Server URL – The ACME directory URL provided by your CA (e.g., https://acme.sectigo.com/v2/DV).

Step 1: Install Certbot

Tip: you can run certbot –version to see if certbot is already installed on your server.

Certbot is the recommended ACME client for Apache and NGINX. Installation steps vary by operating system and web server. Select your OS family below, then choose one of the available installation methods.

For Debian/Ubuntu Systems

The following instructions apply to Debian, Ubuntu, Linux Mint, and other Debian-based distributions. Choose Option A or Option B below—you only need to complete one.

Option A: Install via apt

The apt package manager provides a straightforward installation that integrates with your system’s package management. This method may not always provide the latest version of Certbot.

  1. Update your package list:

sudo apt update

  1. Install Certbot with the appropriate plugin for your web server:

For Apache:

sudo apt install certbot python3-certbot-apache

For NGINX:

sudo apt install certbot python3-certbot-nginx

The Certbot developers recommend installation via snap, as it provides automatic updates and always delivers the latest version. This method installs Certbot with support for both Apache and NGINX.

  1. Ensure snapd is installed and up to date:

sudo snap install core
sudo snap refresh core

  1. Install Certbot:

sudo snap install --classic certbot

  1. Create a symbolic link so you can run Certbot from anywhere:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

For Red Hat/CentOS/Fedora Systems

The following instructions apply to Red Hat Enterprise Linux (RHEL), CentOS, Fedora, Rocky Linux, AlmaLinux, and other RHEL-based distributions. Choose Option A or Option B below—you only need to complete one.

Option A: Install via dnf or yum

This method uses your system’s native package manager. You’ll need to enable the EPEL (Extra Packages for Enterprise Linux) repository first.

  1. Enable the EPEL repository:

sudo dnf install epel-release

OR

sudo yum install epel-release

  1. Refresh the repository list:

sudo dnf clean all
sudo dnf update

OR

sudo yum clean all
sudo yum update

  1. Install Certbot with the appropriate plugin for your web server:

For Apache:

sudo dnf install certbot python3-certbot-apache

OR

sudo yum install certbot python-certbot-apache

For NGINX:

sudo dnf install certbot python3-certbot-nginx

OR

sudo yum install certbot python-certbot-nginx

The Certbot developers recommend installation via snap, as it provides automatic updates and always delivers the latest version. This method installs Certbot with support for both Apache and NGINX.

  1. Ensure snapd is installed and up to date:

sudo snap install core
sudo snap refresh core

  1. Install Certbot:

sudo snap install --classic certbot

  1. Create a symbolic link so you can run Certbot from anywhere:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2: Obtain and Install Your Certificate

With Certbot installed, you can now request your SSL certificate. Certbot’s automatic mode will obtain the certificate, configure your web server, and set up automatic renewal—all in a single command.

Run the appropriate command for your web server, replacing the placeholder values with your own:

For Apache:

sudo certbot --apache --non-interactive --agree-tos \
  --server <acme-directory> \
  --email <your-email> \
  --eab-kid <your-eab-kid> \
  --eab-hmac-key <your-hmac-key> \
  --domain <your-domain> \ 
  --cert-name <your-certificate-name>

For NGINX:

sudo certbot --nginx --non-interactive --agree-tos \
  --server <acme-directory> \
  --email <your-email> \
  --eab-kid <your-eab-kid> \
  --eab-hmac-key <your-hmac-key> \
  --domain <your-domain> \ 
  --cert-name <your-certificate-name>

Command Parameters

  • –apache / –nginx – Specifies your web server for automatic configuration.
  • –non-interactive – Runs without prompts, suitable for scripts and automation.
  • –agree-tos – Automatically accepts the terms of service.
  • –server – The ACME directory URL provided by your CA (e.g., https://acme.sectigo.com/v2/DV).
  • –email – Your email address for certificate expiration notifications.
  • –eab-kid – Your External Account Binding Key ID from your CA.
  • –eab-hmac-key – Your EAB HMAC Key from your CA.
  • –domain – The domain(s) to secure. Use multiple –domain flags for additional domains.
  • –cert-name – A friendly name to identify this certificate on your system.

Example Command

Here is a complete example for Apache using a Sectigo ACME server:

sudo certbot --apache --non-interactive --agree-tos \
  --email admin@example.com \
  --server https://acme.sectigo.com/v2/DV \
  --eab-kid abc123yourEabKid \
  --eab-hmac-key xyz789yourHmacKey \
  --domain example.com \
  --domain www.example.com \ 
  --cert-name my-example-certificate

Tip: For NGINX, simply change –apache to –nginx in the command above. To secure multiple domains with a single certificate, include a separate –domain flag for each domain.

Step 3: Verify the Installation

After the command completes successfully, verify that your certificate is installed and working:

  • Visit https://yourdomain.com in your browser and confirm the padlock icon appears.
  • Check that the certificate details show the correct domain and expiration date.
  • Verify with a dry run, you should verify that the renewal process actually works without affecting your current certificates: 
sudo certbot renew --dry-run

Certbot automatically configures a cron job or systemd timer to renew your certificate before it expires. No additional configuration is required for automatic renewal.  If you want to verify the timer is running:

# For standard apt installations
sudo systemctl status certbot.timer

# For Snap installations
sudo systemctl status snap.certbot.renew.tim

Congratulations! You have successfully installed your ACME SSL certificate. Your certificate will renew automatically, ensuring uninterrupted HTTPS protection.  Please ensure you renew the service before the due date every 12 months otherwise the renewal will fail.