= Certbot = '''`certbot(1)`''' is a utility that interfaces with the [[Encryption/LetsEncrypt|Let's Encrypt]] certificate authority. `certbot(1)` generates a [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] certificate, tests the configuration through an ACME challenge, and automates the regeneration of expired certificates. <> ---- == Installation == Most [[Linux]] and [[BSD]] distributions offer a `certbot` package. Being a utility written in [[Python]], certain distributions offer a severely out-of-date version of `certbot(1)`. One option to get around this is to use a [[Docker]] container. An official image is available at `docker.io/certbot/certbot`. {{{ sudo docker run --interactive --tty --rm --name my-certbot \ --mount type=bind,/etc/letsencrypt,/etc/letsencrypt \ --mount type=bind,/var/lib/letsencrypt,/var/lib/letsencrypt \ certbot/certbot certonly }}} Another option is to use a virtual environment. {{{ pipx install certbot certbot/bin/pip install --upgrade pip certbot/bin/pip install certbot ./certbot/bin/certbot certonly }}} See also the virtual environment tool [[Python/Pipx|pipx(1)]]. ---- == Usage == === Standalone Server === To use the temporary, internal `certbot(1)` web server for the ACME challenge, try: {{{ certbot certonly --standalone --http-01-port=8888 --email me@example.com --agree-tos --noninteractive -d example.com -d www.example.com }}} Any number of domains can be listed. (Newer versions support comma delimited lists.) === Webroot === To use an already-running, external web server for the ACME challenge, try: {{{ certbot certonly --webroot --webroot-path /var/www --email me@example.com --agree-tos --noninteractive -d example.com -d www.example.com }}} As above, any number of domains can be listed. Each domain will use the last `webroot-path` for the domain's webroot. === NGINX and Apache === `certbot(1)` has plugins that simplify the workflow for beginners. To use an already-running NGINX web server, try: {{{ certbot certonly --nginx }}} To use an already-running Apache web server, try: {{{ certbot certonly --apache }}} To have the certificates automatically 'installed', drop the `certonly` word from the command. (This will generate the appropriate TLS configuration and write it to the web server configuration.) === Test Renewal === For any number of reasons, you may want to force a certificate renewal. To run the process without overwriting the current certificates, try: {{{ certbot renew --dry-run }}} To force overwriting the current certificates, try: {{{ certbot renew --force-renewal }}} === Automated Renewal === Many distributions bundle a `cron` job or a `systemd` timer with `certbot(1)`. To check if these are already enabled, check: * /etc/crontab/ * /etc/cron.*/* * systemctl list-timers If your distribution does not manage this process for you, `certbot(1)` can be easily automated through a `cron` job. {{{ 0 0,12 * * * certbot renew --quiet }}} This will run twice daily, at midnight and noon. ---- == Configuration == === Hooks === ---- == See also == [[https://man.archlinux.org/man/certbot.1|certbot(1)]] ---- CategoryRicottone