Let's Encrypt has been a wildly successful campaing to move the world onto HTTPS... for free.
There are a number of options for installing certbot, the Let's Encrypt client. For Ubuntu there are three: a snap, a docker container and a python library. I've used each of these over time, but found that for my workflow (where I use the manual plugin to create wildcard certs on my workstation) the python library works best.
This process was tested on Ubuntu 18.04 LTS Desktop with Python 3.9.
Here's how to set it up:
$ sudo mkdir /opt/certbot
$ sudo su -
# python3.9 -m venv /opt/certbot
Note I su'd to root to avoid repermissioning my nonprivileged user's python cache.
Now to install certbot:
# cd /opt/certbot
# source bin/activate
(certbot)# pip install certbot
Since there is no certbot plugin for my DNS provider, I didn't install one.
Finally, kick off the cert process (in my case using the manual plugin):
(certbot)# certbot certonly \
--manual \
--preferred-challenges dns \
--email [email protected] \
--agree-tos \
-d '*.example.com' \
-d 'example.com'
From that point forward follow the prompts (using the manual plugin with DNS challenges you'll be required to create a TXT record on your domain and set the two values for it as directed -- set the TTL for it to 60 seconds or less if you can).
The certs (and private key) will be written in /etc/letsencrypt under live/example.com (containing symlinks to the latest files in the ../../archive directory, and example.com being the name of your domain). There will be both a chain.pem and fullchain.pem, the former being only one of the intermediate certs and the latter all intermediate certs.
References:
Electronic Frontier Foundation. "cerbot insructions: None of the above on pip, wildcard". Retrieved 1 August 2021, https://certbot.eff.org/lets-encrypt/pip-other.