Let's Encrypt SSL/TLS certificates with certbot

Let's Encrypt is an automated and open certification authority (CA) operated by Internet Security Research Group (ISRG) and founded by the Electronic Frontier Foundation (EFF). It provides free SSL / TLS certificates that are commonly used to encrypt communications for security and privacy purposes, the most notable use case is HTTPS. Let's Encrypt relies on the ACME (Automatic Certificate Management Environment) protocol to issue, revoke and renew certificates. Certbot is a free and open source utility that is mainly used to manage SSL / TLS certificates from the Let's Encrypt certification authority. It is available for most UNIX operating systems, including GNU / Linux, FreeBSD, OpenBSD and OS X. This guide will provide a platform-independent introduction to the use of certbot.


A domain name registered with an A record that points to your IPv4 address. `www.example.com` will be used as an example.
Access to a root privilege shell.

General concepts

The use of certbot to enable HTTPS can be divided into two parts: authentication and installation. The first requires solving a challenge and saving the certificate and other files. The installation step involves configuring and securing the web server. Certbot can automatically perform both, with the run subcommand. The certonly and install subcommands are for the authentication and installation steps respectively. Certbot also includes renewal and certificate revocation features.

Obtaining a Let's Encrypt certificate involves solving a domain validation challenge issued by an ACME (Automatic Certificate Management Environment) server. This challenge verifies ownership of the domains for which you are trying to obtain a certificate. There are different types of challenges, the most used is HTTP-01. As the name implies, it uses the HTTP protocol. While HTTP servers can be configured to use any TCP port, this challenge will only work on port 80 due to security measures. DNS-01 is another less popular type of challenge based on DNS resolution. Note that wildcard certificates cannot be obtained through the HTTP-01 challenge. This guide will initially focus on HTTP-01.

Certbot relies on add-ons to perform authentication and installation. Add-ons such as webroot and freelancers only perform authentication, while others such as Apache and Nginx add-ons are designed to automatically obtain and install certificates (that is, the web server configuration). Other add-ons include several vendor-specific DNS add-ons for DNS-01 authentication. Most certbot add-ons are installed separately, except the webroot and the independent add-ons that are integrated.

Install Certbot
Most Linux distributions provide certbot in their official repositories. Below are the installation instructions for widely used platforms.

yum install -y certbot

Using Certbot

Certificate List
To display a list of certificates managed by certbot on your server, issue the following command:

certbot certificates

Obtaining a certificate for manual configuration

If you choose to configure manual on your web server, you can obtain a certificate in two ways. Either by granting certbot access to your server's web root directory (that is, the webroot plug-in) or by implementing a temporary independent web server on port 80 (that is, the stand-alone plug-in). The last add-in is useful in cases where integration with your existing web server is impossible or not desired. For convenience and simpler renovations, be consistent with the complement used.

Use an existing web server

To use your existing web server, make sure it is running and listening on port 80 before executing the following command

certbot certonly --webroot

You will be asked to enter among other information your domain name (s) and the path to your web root which is `/ var / www / html /` by default on most Linux systems. Alternatively you can specify the required information as command arguments. For example:

certbot certonly --webroot --webroot-path /var/www/html --agree-tos -m your_email@example.com -d www.example.com

Using the standalone web server

To use the standalone server first make sure the availability of port 80. You can check the processes linked to that port using the command:

ss -lntp 'sport = 80'

If necessary, stop the active service / process before continuing. Then run the following command:

certbot certonly --standalone

Once the certificate is installed you must configure your web server manually. Relevant files can be found in / etc / letsencrypt / live / your_domain.

HTTPS interactive installation
As we mentioned earlier, certbot can automate the entire HTTPS configuration process including web server configuration. Add-ons are available for both Apache and Nginx, and may need to be installed as a separate package. Install the specific certbot plug-in for your web server, then run `certbot run --PLUGIN_NAME`. We will show the entire process for Apache in a centOs 7 system. The process for Nginx is similar.

yum install -y python-certbot-apache

certbot run --apache

Assuming that your web server is already configured for your domain name (s), certbot will analyze the existing configuration and ask you to choose for which HTTPS domain name it should be activated. If your web server is not configured or if certbot cannot detect your domain names simply enter your domain names manually when prompted. For example:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and / or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Certbot will create a new Apache configuration file for your new HTTPS virtual host and ask if HTTP traffic should be redirected to HTTPS. Unless you have good reasons for not doing so, you must enable redirection to HTTPS.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/www.example.com.conf to ssl vhost in /etc/apache2/sites-available/www.example.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.example.com

Certificate Renewal

Manual renewal
To renew your certificates with certbot you can use the renew subcommand. During the renovation certbot will use the same add-ons and options used for the original broadcast. Certificates are only renewed if they expire in less than 30 days, so the following command can be used as often as desired, as it will not take any action if the certificates are not close to their expiration date. Run the following command for renewing web domain names:

certbot renew

If the independent add-on was used to execute a certificate, you must stop your web server for the renewal to be successful. You can achieve that using hooks. For example, if the system is running Apache, the command would be:

certbot renew --pre-hook "systemctl stop apache2.service" --post-hook "systemctl start apache2.service"

Automatic renewal

Many distributions have allowed automatic default renewals either through systemd timers or cron jobs. You can check systemd timers with:

systemctl list-timers

And for cron jobs using:

ls / etc / cron *

If the webroot plug-in was used for issuance, automatic renewals should be successful whenever your web server is running. However, with the independent add-on, the default automatic renewal command will fail in case a web server is running since certbot cannot be linked to port 80. Therefore it is necessary to modify it with the addition of hooks as shown above.

Certificate Revocation

A certificate can be revoked by specifying with the path or name of the certificate:

certbot revoke --cert-name cert_name


certbot revoke --cert-path /path/to/cert.pem


certbot revoke --cert-name www.example.com

After executing the sub-command, revoke certbot will ask you if the certificate files should be deleted. If you choose not to delete them, the revoked certificate will be renewed during the next renewal. Several self-explanatory options can be passed to the revoke subcommand:

--delete-after-revoke (request default user choice)
--no-delete-after-revoke (request default user choice)
--reason [unspecified, keycompromise, affiliationchanged, superseded, cessationofoperation] (Default: unspecified)

Wild Card Certificates

A single wildcard certificate can be used to identify multiple subdomains as an alternative to separate regular certificates. To obtain a wild card certificate you must use the DNS-01 challenge. While there are several vendor-specific add-ons available that automate the ACME authentication process, we will explain the provider's manual and neutral process. Access to name servers is required for your domain.

Use the following command to request a wildcard certificate:

certbot certonly --manual --preferred-challenges dns-01 -d * .example.com

Certbot will display a value that must be implemented in a DNS TXT record. This TXT record serves as the necessary property validation.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Implement a DNS TXT record with the name
_acme-challenge.example.com and with the following value:
Before continuing, verify that the record is created.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to continue

You must create the record specified in your DNS control panel before continuing. Once the record is created, wait a few minutes before pressing Enter, which activates the ACME server to verify it. In some cases, a longer wait time may be necessary for the new record to propagate correctly and be accessible. After the certificate activation success, the string and private key will be saved in /etc/letsencrypt/live/example.com/.

Was this answer helpful?

Related Articles

CentOS 7 monitoring

Netdata is an open source tool to visualize and monitor in real time the performance of our...

Antivirus in CentOS 7

It is a very good alternative to have an antivirus on our Linux server, with the installation of...

Linux Firewalld

how to start, restart or view Linux firewall status Firewall is a management tool that allows or...

How to setup IPtable in RHEL/CentOS 7

IPtable configuration in RHEL/CentOS 7 IPtables is a user-space utility program that allows the...