#compsci #python Certbot is an [[Apache License]]-licensed Python certificate management program that implements the [[ACME protocol]]. Previously named letsencrypt. ## Certificates and lineages ![[Pasted image 20260501035203.png]] ## Installation Installation through [[docker]], pip or third party (i.e. distro repos) distributions are available. ## Use ### Getting certificates ![[Pasted image 20260501035449.png]] To obtain a certificate and also install it, use the `certbot` command. To obtain the ceritifcate without installing it anywhere, use the `certbot certonly` command. ![[Pasted image 20260501035540.png]] ![[Pasted image 20260501035616.png]] ![[Pasted image 20260501035627.png]] The Apache webserver plugin automates both obtaining and installing certificates, to specify this plugin, run --apache. If you're running a local webserver and you'd prefer not to stop it during the certificate issuanse process, use the webroot plugin with --webroot and certonly. You also need to specify --webroot-path or -w ```bash certbot certonly --webroot -w /var/www/example -d www.example.com ``` ![[Pasted image 20260501035951.png]] To use the nginx plugin: ```bash certbot --nginx ``` Use standalone mode to obtain a certificate if you don't want to use existing server software: ```bash certbot certonly --standalone ``` The standalone plugin needs to bind to port 80 in order to perform domain validation, so you may need to stop your existing webserver. ![[Pasted image 20260501040239.png]] ![[Pasted image 20260501040447.png]] You can also combine plugins: ![[Pasted image 20260501040502.png]] ### Managing certificates To view a list of the certificates Certbot knows about, run the certificates subcommand: ![[Pasted image 20260501040610.png]] You can use certonly or run subcommands to request the creation of a single new certificate, if a certificate is requested with run or certonly specifying a certificate name that already exists, Certbot updates the existing certificate. ![[Pasted image 20260501040837.png]] ![[Pasted image 20260501040856.png]] ![[Pasted image 20260501040937.png]] ![[Pasted image 20260501040952.png]] ![[Pasted image 20260501041001.png]] ![[Pasted image 20260501041025.png]] ![[Pasted image 20260501041043.png]] ![[Pasted image 20260501041100.png]] Otherwise, you'll be prompted to choose one or more certificates to delete When deleeting a certificate, make sure to properly edit your webserver's config! ![[Pasted image 20260501041202.png]] ![[Pasted image 20260501041257.png]] ![[Pasted image 20260501041330.png]] ![[Pasted image 20260501041321.png]] ### Location of certs All generated keys and issued certificates can be found in `/etc/letsencrypt/live/$domain`, where $domain is the certificate name. Rather than copying, point your server config directly to those files or create symlinks. The containing directories in /etc/letsencrypt/live are created with permissions of 0700, meaning that certs are at first accessible only to servers that run as the root user. In $domain folder, the following files are available: ![[Pasted image 20260501041658.png]] ![[Pasted image 20260501041706.png]] ### Changing the ACME server By default, Certbot uses Let's Encrypt production server at https://acme-v02.api.letsencrypt.org/directory. You can tell certbot to use a different CA by providing --server on the command line or in a config file with the URL of the server's ACME directory. E.g.: to use Let's Encrypt's staging server, add --server https://acme-staging-v02.api.letsencrypt.org/directory to the command line. ![[Pasted image 20260501041921.png]] ### Lock files ![[Pasted image 20260501041955.png]] ### Config file Certbot accepts a global config file that applies its options to all invocations of Cerbot. Certificate-specific configuration choices are stored in the .conf files in /etc/letsencrypt/renewal. System-wide config choices are found in /etc/letsencrypt/cli.ini or ~/.config/letsencrypt/cli.ini (you can create one with certbot --config cli.ini) ![[Pasted image 20260501042601.png]] ### Logs By default certbot stores status logs in /var/log/letsencrypt