Certbot

https://certbot.eff.org/instructions?ws=other&os=snap&tab=standard

On ubuntu, certbot is now typically installed with snap.

sudo snap install --classic certbot

--classic tells snap that this package can access the system as root and is not sandboxed. This is required if the package needs to bind to privilidged ports 80/443 (for example in standalone mode)

Certbot can then be used to get a certificate proving the domain points to the ip of the machine the command is being run on. Wildcards have to use dns challenge. 

sudo certbot certonly --standalone -d example.com -d www.example.com

You can then see the certificate listed using (and when it will be renewed based on the expiry):

certbot certificates

Certbot runs a systemd timer to run cert renewals. The timer can be seen here:

systemctl status snap.certbot.renew.timer

You can see the logs for the renwal timer and renewals here:

journalctl -u snap.certbot.renew.service

Inspect a certificate:

openssl x509 -text -noout -in fullchain.pem