SSL (Secure Sockets Layer) is a security protocol that functions to secure communication between clients and servers over the Internet. SSL protects sensitive data such as login information, credit card numbers, and other personal information sent over the internet. Secure Sockets Layer, or SSL, works by using encryption techniques, namely changing the data sent into a form that cannot be read by unauthorized parties. This is done by encrypting the data on the sender’s side and decrypting it on the recipient’s. Nowadays, websites are expected to use SSL certificates. In this article, we will show you how to install Let’s Encrypt on AlmaLinux 10.
Table of Contents
Prerequisites
- An AlmaLinux VPS
- SSH root access or a regular system user with sudo privileges
To install Let’s Encrypt on an AlmaLinux 10 machine, you will need to meet several requirements:
Familiar with the Command Line. The Command Line is a way of interacting with a computer by typing text-based commands and receiving text-based replies. We will run the certbot command through SSH.
Already have an HTTP/HTTPS service with open ports 80 and 443. The server must have an HTTP service that is already active, with ports 80 and 443 open.
Have SSH access to the server, and have sudo (root) access. Sudo is the most common command on Unix-like operating systems for running commands as root (system administrator). If you’re logged into your server as a user other than root, you may need to put sudo before your Certbot command to have it run as root (e.g., sudo certbot instead of just certbot), especially if you’re re-using Certbot’s integration with a web server like Apache or Nginx. (The certbot-auto script automatically runs sudo if it’s needed and you don’t specify it.)
Conventions
# – given commands should be executed with root privileges either directly as a root user or by use of sudo command
$ – given commands should be executed as a regular user
Let’s Encrypt is a certificate authority that provides free SSL/TLS certificates that actually work like the paid ones. Users no longer need to purchase paid SSL certificates. To get a Let’s Encrypt certificate, you’ll need to choose a piece of ACME client software to use. The ACME protocol is utilized to confirm your ownership of a specific domain name and to issue a certificate to you.
Mostly, people use Certbot to generate and install a SSL/TLS certificate for their websites. Please note that there are alternative tools to Cerbot, such as acme.sh, dehydrated, and getssl. These ACME clients are offered and maintained by third parties, not Let’s Encrypt. Let’s Encrypt does not control or review third-party clients and cannot guarantee their safety or reliability. In this article, we will show you how to install an SSL certificate from Let’s Encrypt using Certbot and Acme.sh.
Install Certbot
Certbot is a tool for obtaining SSL certificates from Let’s Encrypt and, optionally, auto-enabling HTTPS on your server. Additionally, it can also act as a client for any other CA that uses the ACME protocol. To install Certbot on AlmaLinux 10, we need to install:
If your server is running Apache
# dnf install python3-certbot-apache
If your server is running nginx
# dnf install python3-certbot-nginx
That’s it! Cerbot should be installed on your server now.
Generate the SSL Certificate
For the article’s purpose, we will use a domain called almalinux10.rosehosting.com as an example to get an SSL certificate. Make sure that this domain already has an Apache virtual host or nginx server block. If your Apache or nginx does not have a virtual host or nginx server block, you can create one.
Apache
# nano /etc/httpd/conf.d/almalinux10.rosehosting.com.confInsert the following into the file:
<VirtualHost *:80>
ServerAdmin webmaster@almalinux10.rosehosting.com
DocumentRoot /var/www/html/almalinux10.rosehosting.com
ServerName almalinux10.rosehosting.com
ServerAlias www.almalinux10.rosehosting.com
ErrorLog /var/log/httpd/almalinux10.rosehosting.com-error.log
CustomLog /var/log/httpd/almalinux10.rosehosting.com-access.log combined
</VirtualHost>Make sure to replace almalinux10.rosehosting.com with your actual domain or subdomain name pointing to your server.
To prevent Apache from going down after we restart the service, we need to check the configuration beforehand.
# apachectl -tIf you see the “Syntax OK” message, then your configuration has no errors, and you restart Apache:
# systemctl restart httpdNginx
# nano /etc/nginx/conf.d/almalinux10.rosehosting.com.confInsert the following into the file:
server {
listen 80;
root /var/www/html/almalinux10.rosehosting.com;
access_log /var/log/nginx/almalinux10.rosehosting.com.access.log;
error_log /var/log/nginx/almalinux10.rosehosting.com.error.log;
index index.html index.php;
server_name almalinux10.rosehosting.com www.almalinux10.rosehosting.com;
location / {
try_files $uri $uri/ =404;
}
}Let’s check the nginx configuration for mistakes.
# nginx -tThe command above will print this message:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulIf everything is okay, we can restart nginx.
# systemctl restart nginxNow, to generate the SSL certificate, run this command:
# certbotOnce executed, you will be prompted for a few questions and see an output like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): you@almalinux10.rosehosting.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: almalinux10.rosehosting.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for almalinux10.rosehosting.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/almalinux10.rosehosting.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/almalinux10.rosehosting.com/privkey.pem
This certificate expires on 2026-02-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for cloud.example.com to /etc/nginx/conf.d/almalinux10.rosehosting.com.conf
Congratulations! You have successfully enabled HTTPS on https://almalinux10.rosehosting.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Install ACME.SH
As an alternative to Certbot, we can install acme.sh. There are several ways to install acme.sh. In this step, we will use the installation script. Let’s get it installed now.
# curl https://get.acme.sh | shNow, let’s add it to our shell environment.
# source ~/.bashrcOnce everything is done, we can run this command to verify the installation
# acme.sh --versionThe command above will print an output like this:
https://github.com/acmesh-official/acme.sh
v3.1.2By default, the acme.sh will use ZeroSSL. Since we’ll be using Let’s Encrypt, let’s change the default CA.
# acme.sh --set-default-ca --server letsencryptThat’s it, now we can issue an SSL certificate.
# acme.sh --issue -d almalinux10.rosehosting.com -w /var/www/htmlThe command above will generate an SSL certificate, and you will see a message like this:
[Sun Nov 9 03:03:50 CST 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Nov 9 03:03:51 CST 2025] Single domain='almalinux10.rosehosting.com'
[Sun Nov 9 03:03:52 CST 2025] Getting webroot for domain='almalinux10.rosehosting.com'
[Sun Nov 9 03:03:52 CST 2025] Verifying: almalinux10.rosehosting.com
[Sun Nov 9 03:03:53 CST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Sun Nov 9 03:03:56 CST 2025] Success
[Sun Nov 9 03:03:56 CST 2025] Verification finished, beginning signing.
[Sun Nov 9 03:03:56 CST 2025] Let's finalize the order.
[Sun Nov 9 03:03:56 CST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2787011136/446692703046'
[Sun Nov 9 03:03:58 CST 2025] Downloading cert.
[Sun Nov 9 03:03:58 CST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/061826039f3750304b3dd260b70d8c77e10f'
[Sun Nov 9 03:03:58 CST 2025] Cert success.
-----BEGIN CERTIFICATE-----
MIIDhjCCAwygAwIBAgISBhgmA583UDBLPdJgtw2Md+EPMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NzAeFw0yNTExMDkwODA1MjdaFw0yNjAyMDcwODA1MjZaMBcxFTATBgNVBAMTDHJo
LmFyb2VsLm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIQPQZ89DTBW8VCH
3p90l5SN0ZF7hd645L9ifjJs/mwQjZu0eNgE1WqGcdils0xIIodb/XgIoWJB6m1a
0l+fZNujggIbMIICFzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFH0x7CN/f2x7/nqz
0zPDIA4G+9+CMB8GA1UdIwQYMBaAFK5IntyHHUSgb9qi5WB0BHjCnACAMDIGCCsG
AQUFBwEBBCYwJDAiBggrawkFBQcwAoYWaHR0cDovL2U3LmkubGVuY3Iub3JnLzAX
BgNVHREEEDAOggxyaC5hcm9lbC5uZXQwEwYDVR0gBAwwCjAIBgZngQwBAgEwLQYD
VR0fBCYwJDAioCCgHoYcaHR0cDovL2U3LmMubGVuY3Iub3JnLzE2LmNybDCCAQUG
CisGAQQB1nkCBAIEgfYEgfMA8QB2ABmG1Mcoqm/+ugNveCpNAZGqzi1yMQ+uzl1w
QS0lTMfUAAABmmfbnqUAAAQDAEcwRQIgKpTj6qFjcaXrocZAbo69YcLnzlMXOyrI
a3a1lbObgvACIQDJAzD2CD2MzZsLn2z7aPiL3NHT4ymruSWFbaL35h1GNgB3AJaX
ZL9VWJet90OHaDcIQnfp8DrV9qTzNm5GpD8PyqnGAAABmmfbnugAAAQDAEgwRgIh
AJE7hZW2cHGenRgLHwnGPWO0ieFkvvZN+tjNni6wsZXsAiEAlKftIFwj6WXUbAIp
+KPSnfRnzcr2E1D5/2wUsMU7VHwwCgYIKoZIzj0EAwMDaAAwZQIwP2mWtNRTIigE
a0vLEyw6H1dkjXFRVwDmXjRwIL3cztrsCgYP1bF1uyzZgED8qd/CAjEAriPFhEXC
FLmZfqv6LxDS4KqWMwMAC95tNsrltvGKjUZjnyJK380Ht6A3vXUCknoq
-----END CERTIFICATE-----
[Sun Nov 9 03:03:58 CST 2025] Your cert is in: /root/.acme.sh/almalinux10.rosehosting.com_ecc/almalinux10.rosehosting.com.cer
[Sun Nov 9 03:03:58 CST 2025] Your cert key is in: /root/.acme.sh/almalinux10.rosehosting.com_ecc/almalinux10.rosehosting.com.key
[Sun Nov 9 03:03:58 CST 2025] The intermediate CA cert is in: /root/.acme.sh/almalinux10.rosehosting.com_ecc/ca.cer
[Sun Nov 9 03:03:58 CST 2025] And the full-chain cert is in: /root/.acme.sh/almalinux10.rosehosting.com_ecc/fullchain.cerAs shown above, you will find the certificate files, including the private key and its CA certificate. You can use the information about the SSL certificates to update your Apache or Nginx virtual host to create an SSL-enabled virtual host.
Bringing it all together
Congratulations! You have successfully learned how to install Let’s Encrypt on AlmaLinux 10.
Of course, if you are one of our Linux Hosting customers, you don’t have to install Let’s Encrypt on Almalinux 10 yourself – simply ask our admins, sit back, and relax. Our admins will install Let’s Encrypt on AlmaLinux 10 for you immediately, at no additional cost, along with many useful server optimizations.
If you liked this post, please share it with your friends or leave a comment below. Thanks.