Certbot – common commands

Installation

Install Certbot

For most Linux distributions:


sudo apt install certbot -y  # For Debian/Ubuntu
sudo yum install certbot -y  # For CentOS/RHEL

For macOS with Homebrew:


brew install certbot

Install Certbot with Webserver Plugins

To integrate Certbot with your web server (like Apache or NGINX):


sudo apt install python3-certbot-apache -y  # For Apache
sudo apt install python3-certbot-nginx -y  # For NGINX

Basic Commands

Obtain and Install a Certificate

  1. For Apache:

    
    sudo certbot --apache
  2. For NGINX:

    
    
    sudo certbot --nginx

Obtain a Certificate (Without Installing)



sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

Renewal

Check Renewal Status


sudo certbot renew --dry-run

Renew All Certificates


sudo certbot renew

Revoke a Certificate


sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

List All Certificates


sudo certbot certificates

Delete a Certificate


sudo certbot delete --cert-name example.com

Testing HTTP-to-HTTPS Redirection

Certbot can test and configure automatic redirection:


sudo certbot --nginx --redirect

Manually Specify Webroot

If Certbot cannot find your web server configuration:



sudo certbot certonly --webroot -w /path/to/your/webroot -d example.com -d www.example.com

Standalone Mode (No Web Server Running)

Use Certbot’s standalone mode if no web server is running:


sudo certbot certonly --standalone -d example.com -d www.example.com

Force Certificate Renewal


sudo certbot renew --force-renewal

Automatic Renewal

Set up a cron job to automate renewal:


sudo crontab -e

Add the following line:


0 0 * * * /usr/bin/certbot renew --quiet

Certbot Logs

Check logs for troubleshooting:



sudo less /var/log/letsencrypt/letsencrypt.log

Example Configuration for NGINX

Modify your NGINX configuration to use the certificate:



server {
listen 80;
server_name example.com www.example.com;

location /.well-known/acme-challenge/ {
root /var/www/html;
}

location / {
return 301 https://$host$request_uri;
}
}

server {
listen 443 ssl;
server_name example.com www.example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

location / {
root /var/www/html;
index index.html index.htm;
}
}

Reload NGINX after changes:



sudo systemctl reload nginx
Scroll to Top