certbot Command: Tutorial & Examples

Automating SSL/TLS Certificate Management

certbot is a powerful command-line tool that enables the automation of the entire certificate lifecycle, including certificate issuance, renewal, installation, and configuration. It is part of the larger Let's Encrypt project, which aims to make secure communication over the internet freely available for everyone.

With certbot, you can obtain valid SSL/TLS certificates from Let's Encrypt, a trusted Certificate Authority, and effortlessly integrate them into your server's web server software. This eliminates the need for manual certificate generation and renewal, simplifying the process for both beginners and experienced system administrators.

Securing your website or application with SSL/TLS certificates is crucial in today's digital landscape. SSL/TLS certificates encrypt the communication between clients (such as web browsers) and your server, ensuring that sensitive information remains private and protected against eavesdropping or tampering.

Using certbot offers several key advantages:

  1. Automated Certificate Management: certbot automates the entire certificate lifecycle, from obtaining and renewing certificates to handling installation and configuration. This automation saves you time and effort while ensuring that your certificates are always up to date.

  2. Let's Encrypt Integration: certbot seamlessly integrates with Let's Encrypt, allowing you to obtain free SSL/TLS certificates without the need for manual intervention. This integration makes it easy to maintain secure connections for your website or application.

  3. Simplified Configuration: certbot streamlines the configuration process by automatically adjusting your web server settings to use the obtained certificates. This simplification means you don't have to worry about complex configuration files or settings.

  4. Widely Supported: certbot supports a wide range of Linux distributions and web server software, making it a versatile tool for securing various server environments.

How does certbot work?

certbot relies on the ACME (Automated Certificate Management Environment) protocol to interact with Let's Encrypt and automate the certificate management process. When you run certbot, it communicates with the Let's Encrypt servers, verifies your ownership of the domain, and generates the required SSL/TLS certificates.

Once the certificates are obtained, certbot can automatically configure your web server software (such as Apache or Nginx) to use the certificates for encrypted connections. Additionally, certbot sets up a renewal mechanism that periodically checks for expiring certificates and automatically renews them, ensuring uninterrupted security for your server.

Examples of using certbot

Here are a few examples demonstrating how to use certbot:

  1. Obtaining and Installing Certificates:

    To obtain and install SSL/TLS certificates for a domain, use the following command:

    certbot certonly --webroot -w /var/www/html -m youremail@example.com --agree-tos -d example.com -d www.example.com

    This command instructs certbot to obtain certificates for both example.com and www.example.com, using the webroot plugin to verify domain ownership. The obtained certificates are saved to a specific location on your server. When you provide your email address using the parameters -m and --agree-tos the process will run completely automatic, otherwise certbot may ask you some questions before creating your certificate.

    Before you actually request new certificates, it is a good idea to test that everything would work correctly. You can easily do this if you add the --dry-run parameter to the command. Otherwise, if you make too many request, you may get blacklisted by Let's Encrypt as they enforce a rate limit on their API.

  2. Renewing Certificates:

    To renew expiring certificates, simply run the following command:

    certbot renew

    certbot automatically checks for expiring certificates and renews them if necessary. This command is typically run periodically, such as through a cron job, to ensure continuous certificate validity.

  3. Automatically Configuring Nginx:

    If you're using Nginx as your web server software, certbot can automatically configure it to use the obtained certificates. Use the following command:

    certbot --nginx

    certbot will detect your Nginx installation, adjust the server blocks to enable HTTPS, and configure the certificates accordingly.

  4. Wildcard Certificate using DNS challenge:

    Here's a little more complex example that will request a wildcard certificate, that is also valid for all subdomains. For this certificate you will have to demonstrate, that you have full control over the complete zone and not only for one subdomain. You can easily do that when you add a TXT record to your DNS zone:

    certbot certonly --manual --preferred-challenges=dns -d "*.example.com" -d "example.com"

    The --manual parameters tells certbot to ask the user to perform the actual challenge. Let's Encrypt will tell you a secret string that you need to add to your DNS records. If this string is found by certbot it will know, that you're the owner of the zone and create the certificate for you.

    If you don't want to perform the challenge manually, you can automate configuring your DNS with a script using --manual-auth-hook:

    certbot certonly --dry-run --manual --manual-auth-hook /etc/letsencrypt/dns.sh --deploy-hook /etc/letsencrypt/deploy.sh --preferred-challenges dns --debug-challenges -d "*.example.com" -d "example.com"

    Don't forget to use the --dry-run parameter while you're experimenting, to avoid hitting the rate limit of Let's Encrypt.

These examples provide a glimpse of the possibilities with certbot. It's a versatile tool that caters to different server environments and offers various plugins for different web server software and verification methods.


With the help of certbot, managing SSL/TLS certificates for your Linux server becomes a breeze. By automating the process, you can focus on other important tasks while ensuring your server enjoys the benefits of secure and encrypted connections. Don't let the complexities of certificate management hold you backā€”let certbot handle it for you.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA