CERTBOT - Base Documentation

Return to Wiki Index

Certbot is an automated tool to help manage SSL/TLS certificates for web servers, typically from **Let's Encrypt**. It helps with obtaining, renewing, and installing certificates. The tool uses the ACME protocol to communicate with Certificate Authorities (CAs).

Certbot can automatically configure your web server (Apache, Nginx, etc.) to use the certificates and manage renewals.

Certbot supports the following web servers:

• Apache
• Nginx
• Lighttpd
• Manual configuration for other servers

Certbot uses ACME challenges to verify domain ownership. The two main types are:

• **HTTP-01** (HTTP challenge)
• **DNS-01** (DNS challenge)

The most common command to obtain a certificate for a domain:

certbot --apache -d example.com -d www.example.com

This will: 1. Obtain the certificate. 2. Automatically configure Apache to use the certificate.

For Nginx:

certbot --nginx -d example.com -d www.example.com

Example for manual configuration:

certbot certonly --manual -d example.com

Renewal of certificates is done automatically with:

certbot renew

This command will check all installed certificates and renew those that are near expiration.

It is recommended to run this as a cron job for automatic renewal.

Example of a cron job:

0 0,12 * * * certbot renew --quiet

This will run the renewal twice a day at midnight and noon.

Certbot's auto-renewal process is controlled via the `certbot renew` command. By default, Certbot installs a cron job or systemd timer to automatically handle renewals.

For manual configuration of a cron job:

crontab -e

Add:

0 0 * * * certbot renew --quiet

Ensure **--quiet** is added to avoid unnecessary output.

After obtaining a certificate, the private key is stored in:

/etc/letsencrypt/live/{domain}/privkey.pem

Access to this private key should be restricted to the root user only to avoid unauthorized decryption of traffic.

Ensure proper permissions:

chmod 600 /etc/letsencrypt/live/{domain}/privkey.pem

Additionally, the private key should be stored in a secure location with regular backups.

Certbot's configuration files, such as `/etc/letsencrypt/renewal/{domain}.conf`, should also be protected from unauthorized access.

Example:

chmod 600 /etc/letsencrypt/renewal/{domain}.conf

The `/etc/letsencrypt/` directory should only be accessible by root to prevent unauthorized users from manipulating certificates or renewal configurations.

The DNS-01 challenge requires creating a DNS TXT record to prove domain ownership. This is useful when HTTP-01 challenges are not possible.

Example for DNS challenge:

certbot --manual --preferred-challenges dns -d example.com -d www.example.com

This will prompt the user to add the DNS TXT record and proceed with validation.

For automated DNS-01 with DNS providers (e.g., Cloudflare, AWS Route 53):

certbot -a dns-cloudflare -d example.com

This method doesn't require a web server to be running and is suitable for wildcard certificates.

If Certbot is unable to renew a certificate, common issues could include:

• Misconfigured DNS records
• HTTP server is not responding to ACME challenges
• Certbot is running out of permissions for renewal directories

To force a renewal attempt and see detailed output:

certbot renew --force-renewal --debug

Check for specific error messages related to DNS, permissions, or rate limits.

Let's Encrypt imposes rate limits to prevent abuse. Common rate limits include:

• **Duplicate certificate limit**: 5 identical certificates per week
• **Failed validation limit**: 5 failed validations per hour

For more details on rate limits:

https://letsencrypt.org/docs/rate-limits/

If you've hit a rate limit, you'll need to wait for the limit to reset before trying again.

You can verify the correct installation and renewal of certificates by checking the status of the installed certificates:

certbot certificates

This command will display:

• List of certificates
• Expiry date
• Domains associated with the certificate

For a deeper inspection of certificate details:

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout

Wildcard certificates are used to secure all subdomains of a domain. They require DNS-01 challenge.

Example command for a wildcard certificate:

certbot -d example.com -d '*.example.com' --manual --preferred-challenges dns

You will be prompted to add a DNS TXT record for validation.

Automating wildcard certificates is possible with supported DNS APIs, e.g., Cloudflare, AWS, etc.

Certbot can be used in Docker environments for isolated certificate management.

Example Docker usage:

docker run -it --rm -v "/path/to/certbot/config:/etc/letsencrypt" -v "/path/to/certbot/logs:/var/log/letsencrypt" certbot/certbot certonly --standalone -d example.com

This runs Certbot inside a Docker container and obtains certificates via the standalone server.

• https://certbot.eff.org/docs/
• https://letsencrypt.org/docs/rate-limits/
• https://man7.org/linux/man-pages/man1/certbot.1.html
• https://letsencrypt.org/
• https://www.digitalocean.com/community/tutorials/how-to-automate-ssl-certificate-renewals-with-let-s-encrypt-and-certbot
• https://www.nginx.com/blog/automating-ssl-certificate-renewals-with-lets-encrypt-and-certbot/
• https://certbot-dns-cloudflare.readthedocs.io/en/stable/

---

Return to Wiki Index