___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

certbot Cheatsheet

← Back to cheatsheets

← Home

Certbot automates obtaining and renewing Let's Encrypt SSL/TLS certificates. Free certificates that actually work. Because paying for SSL in 2024 is just silly.

Installation

  • apt install certbot python3-certbot-nginx - Install with Nginx plugin (Debian/Ubuntu)
  • apt install certbot python3-certbot-apache - Install with Apache plugin
  • yum install certbot python3-certbot-nginx - Install on RHEL/CentOS
  • snap install --classic certbot - Install via snap

Obtaining Certificates

  • certbot --nginx -d example.com - Auto-configure Nginx and get cert
  • certbot --apache -d example.com - Auto-configure Apache and get cert
  • certbot certonly --nginx -d example.com - Get cert only, don't modify config
  • certbot certonly --standalone -d example.com - Standalone mode (stops web server)
  • certbot certonly --webroot -w /var/www/html -d example.com - Webroot mode
  • certbot certonly -d example.com -d www.example.com - Multiple domains
  • certbot certonly --dns-cloudflare -d example.com - DNS challenge (Cloudflare)
  • certbot certonly --dns-route53 -d example.com - DNS challenge (AWS Route53)

Wildcard Certificates

  • certbot certonly --dns-cloudflare -d *.example.com -d example.com - Wildcard cert
  • certbot certonly --manual --preferred-challenges dns -d *.example.com - Manual DNS challenge

Renewal

  • certbot renew - Renew all certificates that are close to expiry
  • certbot renew --dry-run - Test renewal without actually renewing
  • certbot renew --force-renewal - Force renewal even if not expiring soon
  • certbot renew --cert-name example.com - Renew specific certificate
  • certbot renew --post-hook "systemctl reload nginx" - Run command after renewal
  • certbot renew --pre-hook "systemctl stop nginx" - Run command before renewal

Certificate Management

  • certbot certificates - List all certificates
  • certbot show example.com - Show certificate details
  • certbot delete -d example.com - Delete certificate
  • certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem - Revoke certificate
  • certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem --reason keycompromise - Revoke with reason

Testing & Staging

  • certbot --staging -d example.com - Use Let's Encrypt staging server (no rate limits)
  • certbot --test-cert -d example.com - Alias for --staging
  • certbot renew --dry-run - Test renewal process

Automation & Cron

  • certbot renew --quiet --no-self-upgrade - Silent renewal (for cron)
  • certbot renew --quiet --post-hook "systemctl reload nginx" - Auto-reload after renewal
  • 0 0 * * * certbot renew --quiet --no-self-upgrade - Cron job (daily at midnight)
  • 0 3 * * 0 certbot renew --quiet --post-hook "systemctl reload nginx" - Weekly renewal

Common Examples

Get Certificate for Nginx

certbot --nginx -d example.com -d www.example.com

Automatically configure Nginx and obtain certificate for multiple domains.

Get Certificate with Webroot

certbot certonly --webroot -w /var/www/html -d example.com

Get certificate without modifying web server config. Web server must be running.

Standalone Mode

certbot certonly --standalone -d example.com

Get certificate when web server isn't configured yet. Certbot runs its own server temporarily.

Wildcard Certificate

certbot certonly --dns-cloudflare -d *.example.com -d example.com

Get wildcard certificate using DNS challenge. Requires DNS provider plugin.

Test Renewal

certbot renew --dry-run

Test the renewal process without actually renewing certificates.

Auto-Renewal with Reload

certbot renew --quiet --post-hook "systemctl reload nginx"

Renew certificates and reload Nginx automatically. Perfect for cron jobs.

Tips

  • Use --staging first to test without hitting rate limits
  • Set up automatic renewal via cron or systemd timer
  • Webroot mode is best when web server is already configured
  • Standalone mode requires stopping web server temporarily
  • DNS challenges are needed for wildcard certificates
  • Certificates are stored in /etc/letsencrypt/live/domain/
  • Certificates auto-renew when they're within 30 days of expiry
  • Use --dry-run to test renewal without actually renewing
  • Check certificate expiration: openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates
  • Rate limits: 50 certs per registered domain per week (production)