Certbot

certbot(1) is an interface to the Let's Encrypt certificate authority. certbot(1) generates a SSL/TLS certificate, tests the configuration through an ACME challenge, and automates the regeneration of expired certificates.

Contents

  1. Certbot
    1. Installation
    2. Usage
      1. Standalone Server
      2. Webroot
      3. NGINX and Apache
      4. Test Renewal
      5. Automated Renewal
    3. Configuration
      1. Hooks

Installation

Install the certbot package, available in almost all distributions. certbot(1) is written in python3 and has a large number of module dependencies.

Usage

Standalone Server

To use the temporary, internal certbot(1) web server for the ACME challenge, try: 

certbot certonly --standalone --http-01-port=8888 --email [email protected] --agree-tos --noninteractive -d example.com -d www.example.com

Any number of domains can be listed. (Newer versions support comma delimited lists.)

Webroot

To use an already-running, external web server for the ACME challenge, try: 

certbot certonly --webroot --webroot-path /var/www --email [email protected] --agree-tos --noninteractive -d example.com -d www.example.com

As above, any number of domains can be listed. Each domain will use the last webroot-path for the domain's webroot.

NGINX and Apache

certbot(1) has plugins that simplify the workflow for beginners. To use an already-running NGINX web server, try: 

certbot certonly --nginx

To use an already-running Apache web server, try: 

certbot certonly --apache

To have the certificates automatically 'installed', drop the certonly word from the command. (This will generate the appropriate TLS configuration and write it to the web server configuration.)

Test Renewal

For any number of reasons, you may want to force a certificate renewal. To run the process without overwriting the current certificates, try: 

certbot renew --dry-run

To force overwriting the current certificates, try: 

certbot renew --force-renewal

Automated Renewal

Many distributions bundle a cron job or a systemd timer with certbot(1). To check if these are already enabled, check:

If your distribution does not manage this process for you, certbot(1) can be easily automated through a cron job. 

0 0,12 * * * certbot renew --quiet

This will run twice daily, at midnight and noon.

Configuration

Hooks

CategoryRicottone