Introduction to Certbot
Certbot is a free, open-source software tool for automatically obtaining and renewing SSL/TLS certificates from Let’s Encrypt to enable HTTPS on web servers. It simplifies the process of securing websites by handling certificate requests, validation, installation, and renewal. Certbot matters because it removes technical barriers to implementing HTTPS, which is essential for security, privacy, and modern web features.
Core Concepts and Principles
Certbot Fundamentals
- Let’s Encrypt: Free Certificate Authority (CA) that issues certificates via ACME protocol
- SSL/TLS Certificates: Digital certificates that authenticate website identity and enable encrypted connections
- ACME Protocol: Automated Certificate Management Environment – protocol used to automate certificate issuance
- Domain Validation: Process of proving ownership of a domain before certificate issuance
- Certificate Renewal: Process of obtaining new certificates before existing ones expire (Let’s Encrypt certificates valid for 90 days)
Validation Methods
- HTTP-01 Challenge: Certbot places a file on your web server that Let’s Encrypt validates
- DNS-01 Challenge: Proves domain control by adding a specific TXT record to your domain’s DNS configuration
- TLS-ALPN-01 Challenge: Uses TLS protocol for validation (less commonly used)
Step-by-Step Installation and Setup
Installing Certbot
Debian/Ubuntu
sudo apt update
sudo apt install certbot
CentOS/RHEL
sudo dnf install epel-release
sudo dnf install certbot
Using Snap (Recommended for most systems)
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Basic Certification Process
- Install Certbot on your server
- Choose and install plugin appropriate for your web server
- Request certificate using appropriate command
- Verify installation by checking HTTPS access
- Set up automatic renewal (typically already configured by default)
Key Commands by Use Case
Certificate Issuance
Apache Web Server
sudo certbot --apache -d example.com -d www.example.com
Nginx Web Server
sudo certbot --nginx -d example.com -d www.example.com
Standalone Mode (No Web Server Integration)
sudo certbot certonly --standalone -d example.com
Webroot Method (No Server Restart Required)
sudo certbot certonly --webroot -w /var/www/html -d example.com
DNS Challenge (For Wildcard Certificates)
sudo certbot certonly --manual --preferred-challenges dns -d *.example.com -d example.com
Certificate Management
List Certificates
sudo certbot certificates
Renew Certificates (All)
sudo certbot renew
Renew Specific Certificate
sudo certbot renew --cert-name example.com
Test Renewal Process (Dry Run)
sudo certbot renew --dry-run
Revoke Certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
Delete Certificate
sudo certbot delete --cert-name example.com
Advanced Configurations
Automated Renewal Setup
Default Cron Job (Automatically Installed)
Certbot typically installs a renewal script at:
/etc/cron.d/certbot(for package installations)- Systemd timer (for snap installations)
Custom Renewal Cron Job
0 3 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
Creating Wildcard Certificates
sudo certbot certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
-d *.example.com -d example.com
Certificate Customization
Adding Extended Validation Information
sudo certbot certonly --standalone \
--staple-ocsp \
--must-staple \
-d example.com
Specifying Key Size and Algorithm
sudo certbot certonly --nginx \
--rsa-key-size 4096 \
--key-type rsa \
-d example.com
DNS API Integration for Automation
Supported DNS Providers and Plugins
| DNS Provider | Plugin Name | Installation Command |
|---|---|---|
| Cloudflare | certbot-dns-cloudflare | pip install certbot-dns-cloudflare |
| Route 53 (AWS) | certbot-dns-route53 | pip install certbot-dns-route53 |
| DigitalOcean | certbot-dns-digitalocean | pip install certbot-dns-digitalocean |
| Google Cloud DNS | certbot-dns-google | pip install certbot-dns-google |
| Namecheap | certbot-dns-namecheap | pip install certbot-dns-namecheap |
| GoDaddy | certbot-dns-godaddy | pip install certbot-dns-godaddy |
Example: Cloudflare DNS Automation
Create Credentials File
mkdir -p ~/.secrets/certbot/
Create ~/.secrets/certbot/cloudflare.ini with content:
dns_cloudflare_email = your-email@example.com
dns_cloudflare_api_key = your-api-key
Set permissions:
chmod 600 ~/.secrets/certbot/cloudflare.ini
Request Certificate with Cloudflare
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
-d example.com -d *.example.com
Example: AWS Route 53 Automation
Set up AWS Credentials
Ensure AWS CLI is configured with proper credentials:
aws configure
Request Certificate with Route 53
sudo certbot certonly \
--dns-route53 \
--dns-route53-propagation-seconds 30 \
-d example.com -d *.example.com
Common Challenges and Solutions
| Challenge | Description | Solution |
|---|---|---|
| Port 80/443 Already in Use | Cannot use standalone validation | Use webroot or DNS validation instead |
| DNS Propagation Delays | DNS changes not recognized immediately | Add propagation delay: --dns-<provider>-propagation-seconds 60 |
| Rate Limiting | Too many certificate requests | Use staging environment for testing: --staging |
| Certificate Path Issues | Web server can’t find certificates | Check symlinks in /etc/letsencrypt/live/ |
| Renewal Failures | Automatic renewals not working | Check cron jobs and logs in /var/log/letsencrypt/ |
| Multiple Web Servers | Need to deploy cert to multiple servers | Use centralized issuance and secure distribution |
| Firewall Blocking | Security rules blocking validation | Allow inbound connections to port 80/443 temporarily |
Best Practices
Security Best Practices
- Protect certificate private keys (default permissions: 600)
- Use strong key sizes (minimum 2048-bit, preferably 4096-bit)
- Enable OCSP stapling for improved validation performance
- Set up proper monitoring for expiration alerts
- Use dedicated service accounts for automation
Operational Best Practices
- Test with
--dry-runbefore actual certificate operations - Use staging environment (
--staging) for testing configurations - Keep Certbot updated to the latest version
- Set up automated monitoring for certificate expiration
- Document certificate deployment processes
- Use DNS validation for wildcard certificates and servers behind firewalls
Renewal Best Practices
- Run renewal attempts twice daily (default configuration)
- Set renewal threshold to 30 days (certificates renew when 60 days remaining)
- Add pre/post hooks for service restarts or notifications:
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" - Test renewal process monthly with
certbot renew --dry-run - Ensure email address is current for expiration notifications
Docker and Container Integration
Docker Certbot Basic Usage
docker run -it --rm \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
-v "/var/www:/var/www" \
certbot/certbot certonly --webroot -w /var/www -d example.com
Docker Compose Example
version: '3'
services:
certbot:
image: certbot/certbot
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
command: certonly --webroot -w /var/www/certbot --force-renewal --email admin@example.com -d example.com --agree-tos
Kubernetes Integration Using cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com-tls
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
Monitoring and Alerting
Certificate Expiry Monitoring
Simple Bash Script Monitor
#!/bin/bash
# Check if any certificates expire in less than 25 days
domains=$(certbot certificates | grep Domains | awk '{print $2}')
for domain in $domains; do
expiry=$(openssl x509 -enddate -noout -in /etc/letsencrypt/live/$domain/cert.pem | cut -d= -f2)
expiry_epoch=$(date -d "$expiry" +%s)
now_epoch=$(date +%s)
diff_days=$(( (expiry_epoch - now_epoch) / 86400 ))
if [ $diff_days -lt 25 ]; then
echo "WARNING: Certificate for $domain expires in $diff_days days"
# Add notification logic here (email, Slack, etc.)
fi
done
Prometheus Monitoring
# Install prometheus-client and certbot-prometheus plugins
pip install prometheus-client certbot-prometheus
# Configure in certbot.conf
authenticator = nginx
prometheus = true
prometheus_port = 9123
Resources for Further Learning
Official Documentation
Community Resources
Learning Paths
- Beginner: Basic certificate issuance with web server integration
- Intermediate: Wildcard certificates and DNS validation
- Advanced: Full automation with DNS API integration
- Expert: Certificate management at scale with monitoring and custom deployment
This comprehensive cheat sheet covers everything from basic Certbot usage to advanced automation techniques. Whether you’re securing a single website or managing certificates across a large infrastructure, these commands and best practices will help you implement robust HTTPS automation with Certbot.