Certbot
certbot(1) is a utility that interfaces with the Let's Encrypt certificate authority. certbot(1) generates a SSL/TLS certificate, tests the configuration through an ACME challenge, and automates the regeneration of expired certificates.
Contents
Installation
Most Linux and BSD distributions offer a certbot package.
Being a utility written in Python, certain distributions offer a severely out-of-date version of certbot(1).
One option to get around this is to use a Docker container. An official image is available at docker.io/certbot/certbot.
sudo docker run --interactive --tty --rm --name my-certbot \ --mount type=bind,/etc/letsencrypt,/etc/letsencrypt \ --mount type=bind,/var/lib/letsencrypt,/var/lib/letsencrypt \ certbot/certbot certonly
Another option is to use a virtual environment.
pipx install certbot certbot/bin/pip install --upgrade pip certbot/bin/pip install certbot ./certbot/bin/certbot certonly
See also the virtual environment tool pipx(1).
Usage
Standalone Server
To use the temporary, internal certbot(1) web server for the ACME challenge, try:
certbot certonly --standalone --http-01-port=8888 --email [email protected] --agree-tos --noninteractive -d example.com -d www.example.com
Any number of domains can be listed. (Newer versions support comma delimited lists.)
Webroot
To use an already-running, external web server for the ACME challenge, try:
certbot certonly --webroot --webroot-path /var/www --email [email protected] --agree-tos --noninteractive -d example.com -d www.example.com
As above, any number of domains can be listed. Each domain will use the last webroot-path for the domain's webroot.
NGINX and Apache
certbot(1) has plugins that simplify the workflow for beginners. To use an already-running NGINX web server, try:
certbot certonly --nginx
To use an already-running Apache web server, try:
certbot certonly --apache
To have the certificates automatically 'installed', drop the certonly word from the command. (This will generate the appropriate TLS configuration and write it to the web server configuration.)
Test Renewal
For any number of reasons, you may want to force a certificate renewal. To run the process without overwriting the current certificates, try:
certbot renew --dry-run
To force overwriting the current certificates, try:
certbot renew --force-renewal
Automated Renewal
Many distributions bundle a cron job or a systemd timer with certbot(1). To check if these are already enabled, check:
- /etc/crontab/
- /etc/cron.*/*
- systemctl list-timers
If your distribution does not manage this process for you, certbot(1) can be easily automated through a cron job.
0 0,12 * * * certbot renew --quiet
This will run twice daily, at midnight and noon.
Configuration
Hooks