How To Install Certbot on Debian 11 for Let’s Encrypt SSL

NetShop ISP
3 min readJul 8, 2023


Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Certbot, developed as well by ISRG, is a free, open source tool for generating and install Let’s Encrypt SSL Certificates.

If you have a cPanel hosting account with NetShop ISP, then you can install Let’s Encrypt in a single click. Customers using Linux servers without any control panel, will need to install Certbot in order to get a free SSL installed on their server.

In this article we will demonstrate how to install Certbot on Debian 11 Linux server for generating a Standard or Wildcard LetsEncrypt SSL Certificate.

Before going to the commands to install Certbot, take a look on the pre-requisites before you start.


  • Debian 11 installed on Server (can be virtual or dedicated — doesn’t matter)
  • SSH with sudo or root access
  • Comfort with linux commands
  • Port 80 and 443 allowed on firewall/iptables

Step-by-step instructions to install Certbot on Debian 11

Step 1. Install snapd

doe@localhost:~$ sudo apt update
doe@localhost:~$ sudo apt install snapd

Once snapd is installed, exit the ssh terminal and re-login to ensure snap’s paths are updated properly.

Step 2. Update snapd

Once you are back on the terminal, install the core snap to ensure the latest version of snapd is installed. Execute the following command:

doe@localhost:~$ sudo snap install core

Step 3. Remove previous Certbot packages

Before installing Certbot snap, you need to ensure any previous installations of Certbot packages are completely removed from the server. You can do so by executing this command:

doe@localhost:~$ sudo apt-get remove certbot

Step 4. Install Certbot

The following command will install Certbot on your Debian server:

doe@localhost:~$ sudo snap install --classic certbot

Once certbot is installed, execute the following command to ensure the ‘certbot’ command can be run:

doe@localhost:~$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 5. Generate Wildcard SSL Certificate with Let’s Encrypt

Using the Certbot we just installed, we are going to create our first wildcard certificate. For the sake of this example we will use the domain *

doe@localhost:~$ sudo certbot certonly --manula --preferred-challenges=dns --email --server --agree-tos -d *

Note: Since we are generated a wildcard ssl certificate make sure you add the domain with *. in the beginning.

DO NOT hit Enter when prompted, until you complete the Step 6 as described below.

Step 6. Verify Domain Ownership via DNS

After executing the command in Step 5, Certbot will generate a TXT record which you will need to add to your DNS. This is to verify you are in control/ownership of the Domain.

Step 7. Retrieve your new Let’s Encrypt Certificate

Once you have confirmed the new TXT record has propagated, go back to the SSH console and hit Enter. Certbot will generate the SSL certificate and the required Key.

The Certificate and Key files (.pem) will be stored under /etc/letsencrypt/live/<your_domain>/.

Congratulations! You have successfully generated a Wildcard LetsEncrypt SSL through Certbot.