{"id":17171,"date":"2023-06-01T15:45:41","date_gmt":"2023-06-01T12:45:41","guid":{"rendered":"https:\/\/trueconf.com/blog\/?p=17171"},"modified":"2026-03-12T11:48:51","modified_gmt":"2026-03-12T08:48:51","slug":"how-to-create-a-lets-encrypt-certificate-on-linux","status":"publish","type":"post","link":"https:\/\/trueconf.com/blog\/knowledge-base\/how-to-create-a-lets-encrypt-certificate-on-linux","title":{"rendered":"How to create a \u201cLet\u2019s Encrypt\u201d certificate on Linux"},"content":{"rendered":"<p class=\"primary-medium-text ui-mb-sm-1\">To make the most of all TrueConf Server or TrueConf MCU, you need a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" target=\"_blank\" rel=\"noopener\">TLS certificate<\/a>. For example, the certificate makes it possible to:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--disc\"><a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/how-to-setup-user-data-synchronization-between-trueconf-server-and-active-directory.html\" target=\"_blank\" rel=\"noopener\">Synchronize TrueConf Server with LDAP<\/a><\/li>\n<li class=\"ui-list__item ui-list__item--disc\"><a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/join-video-conference.html\" target=\"_blank\" rel=\"noopener\">Join the webinars hosted on TrueConf Server from a browser<\/a>.<\/li>\n<\/ul>\n<p class=\"primary-medium-text ui-mb-sm-1\">Previously we explained <a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/how-to-create-a-lets-encrypt-certificate-on-windows.html\" target=\"_blank\" rel=\"noopener\">how to generate a free Let\u2019s Encrypt certificate on Windows<\/a>. This article will show how to generate this certificate on Linux-based operating systems that are supported by TrueConf Server and TrueConf MCU.<\/p>\n<p class=\"primary-medium-text ui-mb-sm-1\">In order to generate and use a Let\u2019s Encrypt certificate, please follow the instructions below:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Install the required solution (<a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/install-and-set-up-your-video-conferencing-server-for-linux-in-15-minutes.html\" target=\"_blank\" rel=\"noopener\">TrueConf Server<\/a> or <a href=\"https:\/\/trueconf.com\/blog\/knowledge-base\/how-to-install-and-set-up-trueconf-mcu-in-15-minutes.html\" target=\"_blank\" rel=\"noopener\">TrueConf MCU<\/a>).<\/li>\n<li class=\"ui-list__item ui-list__item--num\"><a href=\"https:\/\/ultahost.com\/domains\" target=\"_blank\" rel=\"noopener\">Register a domain name<\/a> with a public (white) IP address.<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Open the <b>80<\/b> port on the TrueConf Server instance where you will get the certificate.<\/li>\n<\/ul>\n<p class=\"primary-medium-text ui-mb-sm-1\">In this article we take the Debian 10 operating system as an example. Please note that we used a previously registered domain name in the TrueConf Server control panel when <a href=\"https:\/\/docs.trueconf.com\/server\/en\/admin\/server-part#registration\" target=\"_blank\" rel=\"noopener\">activating the registration key<\/a>.<\/p>\n<h2 id=\"certificate_generation\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">Certificate generation<\/h2>\n<p class=\"primary-medium-text ui-mb-sm-1\">To get a free certificate from Let\u2019s Encrypt, you need to use Certbot. As a rule, this tool is available from official Linux repositories; however, one can also download it as an installation package (check the <a href=\"https:\/\/certbot.eff.org\/\" target=\"_blank\" rel=\"noopener\">official website<\/a>).<\/p>\n<div class=\"accent-note accent-note--line accent-note--special ui-mb-sm-1 ui-mt-xs-3\">\n<p class=\"primary-medium-text\">In order to run the following commands you should have <b>sudo<\/b> app, while the user&#8217;s name has to belong to the respective group. If you\u2019d like to check whether you have <b>sudo <\/b>installed, please execute <code>sudo -V<\/code> command. If you don\u2019t have <b>sudo<\/b> by default, you can install it by using <code>apt install sudo<\/code> command (it should be run under the <b>root<\/b> account). To add another user with <b>user<\/b> login to the <b>sudo<\/b> group, please run <code>usermod -a -G sudo user<\/code> command under the <b>root<\/b> account.<\/p>\n<\/div>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Install Certbot by running the command:\n<pre class=\"wrap:true lang:default decode:true\">sudo apt install -yq certbot<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Before executing this command make sure to stop the web server service or any other service,which uses the port <b>80<\/b>. Otherwise, the command will not be executed since Certbot is using its own web server to access the Let&#8217;s Encrypt registration address.<br \/>\nTo stop these services, run one of these commands:<\/p>\n<ul>\n<li class=\"ui-list__item ui-list__item--disc\">TrueConf Server:\n<pre class=\"lang:default decode:true\">sudo systemctl stop trueconf-web<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">TrueConf MCU:\n<pre class=\"lang:default decode:true \">sudo systemctl stop tcmcu-web<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Generate the Let\u2019s Encrypt certificate without itsinstallation by executing the command:\n<pre class=\"wrap:true lang:default decode:true\">sudo certbot certonly --standalone -d test.domain.ru<\/pre>\n<p>The command\u2019s description:<br \/>\n<b>&#8211;certonly<\/b> \u2014 gets or renews the certificate but does not install it.<br \/>\n<b>&#8211;standalone<\/b> \u2014 runs its own web server to pass the authentication when getting the certificate.<br \/>\n<b>-d<\/b> \u2014 indicates a domain or a list of domains separated by commas for which you need to get the certificates.<br \/>\n<b>test.domain.ru<\/b> \u2014 your server&#8217;s registered domain name.<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Next, answer the following registration questions:\n<ul>\n<li class=\"ui-list__item ui-list__item--disc\">Indicate the email address which will be used to send the certificate renewal notifications and other information.<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">Confirm that you have read the Terms of Use (type <code>Y<\/code>).<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">Deny or accept receiving email newsletter to be sent on the specified email address (enter <code>Y<\/code> or <code>N<\/code>).<\/li>\n<\/ul>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">If the certificate has been generated successfully you will see the certificate creation message. Certificate\u2019s files (<b>cert.pem<\/b> and <b>privkey.pem<\/b>) are saved in the catalogue <code>\/etc\/letsencrypt\/live\/test.domain.ru\/<\/code>.<\/li>\n<\/ul>\n<h2 id=\"certificate_installation\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">Certificate installation<\/h2>\n<h3 id=\"tcs\" class=\"h5--main h5--thick black-text ui-mb-xs-3 ui-mt-md-1\">TrueConf Server<\/h3>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Stop the <b>trueconf-web<\/b> service if it is now running:\n<pre class=\"lang:default decode:true \">sudo systemctl stop trueconf-web<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Copy and rename:\n<ul>\n<li class=\"ui-list__item ui-list__item--disc\">the certificate file with its extension changed from<b> pem<\/b> to <b>crt<\/b>:\n<pre class=\"wrap:true lang:default decode:true\">sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/cert.pem \/opt\/trueconf\/server\/etc\/webmanager\/ssl\/custom.crt<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">the key file with its extension changed from<b> pem<\/b> to <b>key<\/b>:\n<pre class=\"wrap:true lang:default decode:true\">sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/privkey.pem \/opt\/trueconf\/server\/etc\/webmanager\/ssl\/custom.key<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Assign TrueConf Server service as the owner of all the files with the <b>custom.* <\/b>name in the catalog <code>\/opt\/trueconf\/server\/etc\/webmanager\/ssl\/<\/code>. To do it, execute this command:\n<pre class=\"wrap:true lang:default decode:true\">sudo chown trueconf:trueconf \/opt\/trueconf\/server\/etc\/webmanager\/ssl\/custom.*<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Run the web server service:\n<pre class=\"wrap:true lang:default decode:true\">sudo systemctl start trueconf-web<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Choose the <strong>Use custom certificate<\/strong> option from the <strong>HTTPS mode:<\/strong> drop-down list (<strong>Web \u2192 HTTPS \u2192 HTTPS configuration<\/strong>) in the TrueConf Server control panel. Change HTTPS port (if required) and click <strong>Test Configuration<\/strong>. At the top of the window you will see <span style=\"color: #38761d;\"><b>The configuration has been successfully tested<\/b>.<\/span><\/li>\n<li class=\"ui-list__item ui-list__item--num\">Click <strong>Apply<\/strong>. The server will restart automatically.<\/li>\n<\/ul>\n<h3 id=\"mcu\" class=\"h5--main h5--thick black-text ui-mb-xs-3 ui-mt-md-1\">TrueConf MCU<\/h3>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Stop the <b>tcmcu-web<\/b> service if it is now running.\n<pre class=\"lang:default decode:true \">sudo systemctl stop tcmcu-web<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Copy and rename:\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--disc\">the certificate file\n<pre class=\"lang:default decode:true\">sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/cert.pem \/opt\/trueconf\/mcu\/etc\/ssl\/web\/web.pem<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">the key file with its extension changed from pem to key:\n<pre class=\"lang:default decode:true \">sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/privkey.pem \/opt\/trueconf\/mcu\/etc\/ssl\/web\/web.key<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Start the <b>tcmcu-web<\/b> service.<\/li>\n<\/ul>\n<h2 id=\"renewing_certificate\" class=\"h4--main h4--thick black-text ui-mb-xs-3 ui-mt-md-1\">Renewing your certificate<\/h2>\n<p class=\"primary-medium-text ui-mb-sm-1\">In order to renew and transfer the certificate files to the server directory, please run commands in the following order:<\/p>\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--num\">Stop the web server service:\n<ul>\n<li class=\"ui-list__item ui-list__item--disc\">TrueConf Server:\n<pre class=\"wrap:true lang:default decode:true\">sudo systemctl stop truconf-web<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">TrueConf MCU:\n<pre class=\"lang:default decode:true\">sudo systemctl stop tcmcu-web<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Renew the certificate:\n<pre class=\"wrap:true lang:default decode:true\">sudo certbot certonly \u2013d test.domain.ru<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Choose <strong>Spin up a temporary webserver (standalone)<\/strong> (enter <code>1<\/code>).<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Choose <strong>Renew &amp; replace the cert (limit ~5 per 7 days)<\/strong> (enter <code>2<\/code>).<\/li>\n<li class=\"ui-list__item ui-list__item--num\"><a href=\"#Certificate_installation\">Install the certificate<\/a>.<\/li>\n<li class=\"ui-list__item ui-list__item--num\">Run the web server service:\n<ul class=\"ui-list ui-list--medium\" style=\"margin-bottom: 18px;\">\n<li class=\"ui-list__item ui-list__item--disc\">TrueConf Server:\n<pre class=\"lang:default decode:true \">sudo systemctl start truconf-web<\/pre>\n<\/li>\n<li class=\"ui-list__item ui-list__item--disc\">TrueConf MCU:\n<pre class=\"lang:default decode:true \">sudo systemctl start tcmcu-web<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"HowTo\",\n  \"name\": \"How to create a Let\u2019s Encrypt certificate on Linux\",\n  \"description\": \"Step-by-step guide to generate and install a free Let\u2019s Encrypt TLS certificate for TrueConf Server or TrueConf MCU on Linux using Certbot.\",\n  \"url\": \"https:\/\/trueconf.com\/blog\/knowledge-base\/how-to-create-a-lets-encrypt-certificate-on-linux\",\n  \"inLanguage\": \"en\",\n  \"totalTime\": \"PT15M\",\n  \"estimatedCost\": {\n    \"@type\": \"MonetaryAmount\",\n    \"currency\": \"USD\",\n    \"value\": \"0\"\n  },\n  \"supply\": [\n    {\n      \"@type\": \"HowToSupply\",\n      \"name\": \"Installed TrueConf Server or TrueConf MCU\"\n    },\n    {\n      \"@type\": \"HowToSupply\",\n      \"name\": \"Registered domain name with a public IP address\"\n    },\n    {\n      \"@type\": \"HowToSupply\",\n      \"name\": \"Open TCP port 80 on the server\"\n    },\n    {\n      \"@type\": \"HowToSupply\",\n      \"name\": \"Let\u2019s Encrypt certificate files\"\n    }\n  ],\n  \"tool\": [\n    {\n      \"@type\": \"HowToTool\",\n      \"name\": \"Linux terminal\"\n    },\n    {\n      \"@type\": \"HowToTool\",\n      \"name\": \"sudo\"\n    },\n    {\n      \"@type\": \"HowToTool\",\n      \"name\": \"Certbot\"\n    },\n    {\n      \"@type\": \"HowToTool\",\n      \"name\": \"TrueConf Server or TrueConf MCU control panel\"\n    }\n  ],\n  \"step\": [\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 1,\n      \"name\": \"Prepare the server\",\n      \"text\": \"Install TrueConf Server or TrueConf MCU, register a domain name with a public IP address, and make sure port 80 is open on the server.\"\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 2,\n      \"name\": \"Make sure sudo is available\",\n      \"text\": \"Verify that sudo is installed and that your user belongs to the sudo group before running the commands.\"\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 3,\n      \"name\": \"Install Certbot\",\n      \"text\": \"Install Certbot from the Linux repository.\",\n      \"itemListElement\": [\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo apt install -yq certbot\"\n        }\n      ]\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 4,\n      \"name\": \"Stop the web service that uses port 80\",\n      \"text\": \"Before requesting the certificate, stop the TrueConf web service so Certbot can use its standalone web server on port 80.\",\n      \"itemListElement\": [\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"For TrueConf Server: sudo systemctl stop trueconf-web\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"For TrueConf MCU: sudo systemctl stop tcmcu-web\"\n        }\n      ]\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 5,\n      \"name\": \"Generate the Let\u2019s Encrypt certificate\",\n      \"text\": \"Run Certbot in standalone mode to create the certificate for your domain without automatic installation.\",\n      \"itemListElement\": [\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo certbot certonly --standalone -d test.domain.ru\"\n        }\n      ]\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 6,\n      \"name\": \"Complete the Certbot prompts\",\n      \"text\": \"Enter the email address for renewal notifications, accept the terms of service, and choose whether to receive the email newsletter.\"\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 7,\n      \"name\": \"Locate the generated files\",\n      \"text\": \"After successful issuance, find cert.pem and privkey.pem in the directory \/etc\/letsencrypt\/live\/test.domain.ru\/.\"\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 8,\n      \"name\": \"Install the certificate on TrueConf Server\",\n      \"text\": \"If you use TrueConf Server, stop the web service, copy the certificate and key to the SSL directory, assign ownership, and start the service again.\",\n      \"itemListElement\": [\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo systemctl stop trueconf-web\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/cert.pem \/opt\/trueconf\/server\/etc\/webmanager\/ssl\/custom.crt\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/privkey.pem \/opt\/trueconf\/server\/etc\/webmanager\/ssl\/custom.key\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo chown trueconf:trueconf \/opt\/trueconf\/server\/etc\/webmanager\/ssl\/custom.*\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo systemctl start trueconf-web\"\n        }\n      ]\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 9,\n      \"name\": \"Enable the custom certificate in TrueConf Server\",\n      \"text\": \"In the control panel, open Web \u2192 HTTPS \u2192 HTTPS configuration, select Use custom certificate, optionally change the HTTPS port, test the configuration, and apply the settings.\"\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 10,\n      \"name\": \"Install the certificate on TrueConf MCU\",\n      \"text\": \"If you use TrueConf MCU, stop the web service, copy the certificate and key to the MCU SSL directory, and start the service again.\",\n      \"itemListElement\": [\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo systemctl stop tcmcu-web\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/cert.pem \/opt\/trueconf\/mcu\/etc\/ssl\/web\/web.pem\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo cp \/etc\/letsencrypt\/live\/test.domain.ru\/privkey.pem \/opt\/trueconf\/mcu\/etc\/ssl\/web\/web.key\"\n        },\n        {\n          \"@type\": \"HowToDirection\",\n          \"text\": \"sudo systemctl start tcmcu-web\"\n        }\n      ]\n    },\n    {\n      \"@type\": \"HowToStep\",\n      \"position\": 11,\n      \"name\": \"Renew the certificate later\",\n      \"text\": \"When the certificate expires, stop the web service, renew the certificate with Certbot, then repeat the installation steps and restart the service.\"\n    }\n  ]\n}\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To make the most of all TrueConf Server or TrueConf MCU, you need a TLS certificate. For example, the certificate makes it possible to: Synchronize TrueConf Server with LDAP Join the webinars hosted on TrueConf Server from a browser. Previously we explained how to generate a free Let\u2019s Encrypt certificate on Windows. This article will [&hellip;]<\/p>\n","protected":false},"author":55,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[260],"tags":[186],"class_list":["post-17171","post","type-post","status-publish","format-standard","hentry","category-knowledge-base","tag-administration","wpautop"],"_links":{"self":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/17171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/comments?post=17171"}],"version-history":[{"count":21,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/17171\/revisions"}],"predecessor-version":[{"id":43781,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/17171\/revisions\/43781"}],"wp:attachment":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/media?parent=17171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/categories?post=17171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/tags?post=17171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}