Difference between revisions of "Certbot"

certbot^[1] is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.

Installation[edit]

• Ubuntu: apt install certbot
• macOS: brew install certbot

You can additionally install certbot plugins:

• python3-certbot-apache
• python3-certbot-dns-cloudflare
• python3-certbot-dns-digitalocean
• python3-certbot-dns-dnsimple
• python3-certbot-dns-google
• python3-certbot-dns-rfc2136
• python3-certbot-dns-route53
• python3-certbot-nginx

Ubuntu files[edit]

• Binaries: certbot and letscrypt
• Configuration files:

/etc/letsencrypt/

/etc/letsencrypt/renewal/

• Renewals configuration: /etc/cron.d/certbot]]
• Logs: /var/log/letsencrypt/letsencrypt.log

Examples[edit]

• certbot -d YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly

Create a wildcard certificate:

certbot -d *.YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly

Request a certificate[edit]

• List certificates: certbot certificates
• certbot renew
• certbot renew --force-renewal
• certbot delete --cert-name YOUR_CERT_NAME
• Changing a Certificdate's Domain^[2]: certbot certonly --cert-name example.com -d example.org,www.example.org
• Automated renewals: systemctl list-timers

• Stop your webserver:

systemctl stop nginx

• certbot certonly --standalone --preferred-challenges http -d YOUR_DOMAIN_NAME.com

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

• certbot certonly --standalone --agree-tos --preferred-challenges dns -d *.YOUR_DOMAIN_NAME.com (You will be asked for information)

None of the preferred challenges are supported by the selected plugin

nginx.conf

ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;

openssl x509 -text -noout -in cert.pem

certbot certonly --standalone

certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed

Activities[edit]

• Read certbot certbot changelog: https://github.com/certbot/certbot/blob/master/certbot/CHANGELOG.md
• certbot renew
• Certbot renew configuration examples
• acme.sh

See also[edit]

• certbot [ certificates | renew | certonly ], certbot --help
• Certbot, Let's Encrypt: certbot (command), plugins, OCSP, certbot certificates, certbot renew (examples), /var/log/letsencrypt/letsencrypt.log, Certificate Checker, Certbot changelog, certbot --help, /etc/letsencrypt/
• CA, FreeIPA, PKI, OpenCA, Wildcard certificate, certtool, certbot (Let's Encrypt), certinfo (Cloudflare), ACME, Boulder, cfssl (Cloudflare), Public key certificate, public key, TLS and X.509, OCSP, Subject Alternative Name (SAN), openssl ca, Self signed certificate, CSR, keytool, ACM, KMS, aws acm, IdenTrust, multirootca, cert-manager