Certbot

certbot(1) is a utility that interfaces with the Let's Encrypt certificate authority. certbot(1) generates a SSL/TLS certificate, tests the configuration through an ACME challenge, and automates the regeneration of expired certificates.

Contents

  1. Certbot
    1. Installation
    2. Usage
      1. Standalone Server
      2. Webroot
      3. NGINX and Apache
      4. Test Renewal
      5. Automated Renewal
    3. Configuration
      1. Hooks
    4. See also

Installation

Most Linux and BSD distributions offer a certbot package.

Being a utility written in Python, certain distributions offer a severely out-of-date version of certbot(1).

One option to get around this is to use a Docker container. An official image is available at docker.io/certbot/certbot. 

sudo docker run --interactive --tty --rm --name my-certbot \
  --mount type=bind,/etc/letsencrypt,/etc/letsencrypt \
  --mount type=bind,/var/lib/letsencrypt,/var/lib/letsencrypt \
  certbot/certbot certonly

Another option is to use a virtual environment. 

pipx install certbot
certbot/bin/pip install --upgrade pip
certbot/bin/pip install certbot
./certbot/bin/certbot certonly

See also the virtual environment tool pipx(1).

Usage

Standalone Server

To use the temporary, internal certbot(1) web server for the ACME challenge, try: 

certbot certonly --standalone --http-01-port=8888 --email [email protected] --agree-tos --noninteractive -d example.com -d www.example.com

Any number of domains can be listed. (Newer versions support comma delimited lists.)

Webroot

To use an already-running, external web server for the ACME challenge, try: 

certbot certonly --webroot --webroot-path /var/www --email [email protected] --agree-tos --noninteractive -d example.com -d www.example.com

As above, any number of domains can be listed. Each domain will use the last webroot-path for the domain's webroot.

NGINX and Apache

certbot(1) has plugins that simplify the workflow for beginners. To use an already-running NGINX web server, try: 

certbot certonly --nginx

To use an already-running Apache web server, try: 

certbot certonly --apache

To have the certificates automatically 'installed', drop the certonly word from the command. (This will generate the appropriate TLS configuration and write it to the web server configuration.)

Test Renewal

For any number of reasons, you may want to force a certificate renewal. To run the process without overwriting the current certificates, try: 

certbot renew --dry-run

To force overwriting the current certificates, try: 

certbot renew --force-renewal

Automated Renewal

Many distributions bundle a cron job or a systemd timer with certbot(1). To check if these are already enabled, check:

If your distribution does not manage this process for you, certbot(1) can be easily automated through a cron job. 

0 0,12 * * * certbot renew --quiet

This will run twice daily, at midnight and noon.

Configuration

Hooks

See also

certbot(1)

CategoryRicottone

Encryption/Certbot (last edited 2023-04-06 23:07:25 by DominicRicottone)