Certbot: SSL Certificate Automation

Certbot is the official Let's Encrypt client, developed by the EFF (Electronic Frontier Foundation). It automates obtaining, installing, and renewing free SSL certificates. With Certbot properly configured, you never have to worry about certificates manually again.

Certbot offers plugins for the most common web servers (Apache, Nginx) that automatically configure HTTPS. It can also run in standalone or webroot mode for custom configurations.

This guide covers Certbot installation, configuration for different web servers, and advanced options like hooks and wildcards. You'll have all the tools to fully automate your SSL certificates.

Certbot Features

What Certbot can do for you:

• Automatic obtaining: requests and obtains Let's Encrypt certificates in a few commands, with automatic domain validation.
• Server configuration: Apache and Nginx plugins automatically modify configuration to enable HTTPS.
• Automatic renewal: a systemd timer checks daily and renews certificates close to expiration.
• Custom hooks: run scripts before, during, or after renewal for custom actions.

Certbot Installation

Installation by system:

• Ubuntu/Debian: apt install certbot python3-certbot-nginx or python3-certbot-apache depending on your server.
• CentOS/RHEL: dnf install certbot python3-certbot-nginx with EPEL repo enabled.
• Docker: use the official certbot/certbot image for containerized environments.
• Snap (universal): snap install --classic certbot works on most Linux distributions.

First Configuration

Get your first certificate:

1. Nginx/Apache mode: certbot --nginx or certbot --apache for complete automatic configuration.
2. Webroot mode: certbot certonly --webroot -w /var/www/html -d example.com if you prefer manual configuration.
3. Standalone mode: certbot certonly --standalone -d example.com when no web server is running.
4. Verification: certbot certificates lists all your certificates with their expiration dates.

Essential Certbot Commands

The most used commands:

#!/bin/bash
# Installation (Ubuntu/Debian with Nginx)
apt update
apt install certbot python3-certbot-nginx

# Get certificate with Nginx auto-config
certbot --nginx -d example.com -d www.example.com

# Get certificate without modifying config
certbot certonly --nginx -d example.com

# Webroot mode (server already configured)
certbot certonly --webroot -w /var/www/html -d example.com

# Wildcard certificate (requires DNS)
certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

# List certificates
certbot certificates

# Simulate renewal
certbot renew --dry-run

# Revoke certificate
certbot revoke --cert-name example.com

# Delete certificate
certbot delete --cert-name example.com

# Renewal hook (reload Nginx)
certbot renew --deploy-hook "systemctl reload nginx"

--nginx mode is simplest for most cases. Use --webroot if you want to control configuration manually.

Certbot Best Practices

Configure Certbot for optimal operation:

• Use hooks: configure deploy-hooks to automatically reload web server after renewal.
• Test regularly: run certbot renew --dry-run after any configuration change to validate.
• Backup /etc/letsencrypt: this directory contains your private keys and configurations. Include it in your backups.
• Monitor logs: periodically check /var/log/letsencrypt/letsencrypt.log to detect problems.

Frequently Asked Questions

Automate with Certbot

Certbot greatly simplifies SSL certificate management. Once configured, it handles everything automatically: obtaining, installing, and renewing.

Combine Certbot with MoniTao monitoring for total peace of mind. You'll be alerted if renewal issues occur before the certificate expires.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing