Certbot
Certbot is Electronic Frontier Foundation's ACME client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by Let's Encrypt.
Installation
Plugins are available for automated configuration and installation of the issued certificates in web servers:
- The Nginx plugin can be installed with the certbot-nginx package.
- The Apache HTTP Server plugin can be installed with the certbot-apache package.
Configuration
Consult the Certbot documentation for more information about creation and usage of certificates.
Plugins
Nginx
The plugin certbot-nginx provides an automatic configuration for nginx. This plugin will try to detect the configuration setup for each domain. The plugin adds extra configuration recommended for security, settings for certificate use, and paths to Certbot certificates. See #Managing Nginx server blocks for examples.
First time setup of server-blocks:
# certbot --nginx
To renew certificates:
# certbot renew
To change certificates without modifying nginx configuration files:
# certbot --nginx certonly
See Certbot-Nginx on Arch Linux for more information and #Automatic renewal to keep installed certificates valid.
Managing Nginx server blocks
The following example may be used in all server blocks when managing these files manually:
/etc/nginx/sites-available/example
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # Listen on IPv6
ssl_certificate /etc/letsencrypt/live/''domain''/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/''domain''/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
..
}
See nginx#TLS for more information.
It is also possible to create a separated configuration file and include it in each server block:
/etc/nginx/conf/001-certbot.conf
ssl_certificate /etc/letsencrypt/live/''domain''/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/''domain''/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf;
/etc/nginx/sites-available/example
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # Listen on IPv6
include conf/001-certbot.conf;
..
}
Apache
The plugin certbot-apache provides an automatic configuration for the Apache HTTP Server. This plugin will try to detect the configuration setup for each domain. The plugin adds extra configuration recommended for security, settings for certificate use, and paths to Certbot certificates. See #Managing Apache virtual hosts for examples.
First time setup of virtual hosts:
# certbot --apache
To renew certificates:
# certbot renew
To change certificates without modifying Apache configuration files:
# certbot --apache certonly
See Certbot-Apache on Arch Linux for more information and #Automatic renewal to keep installed certificates valid.
Managing Apache virtual hosts
The following example may be used in all virtual hosts when managing these files manually:
/etc/httpd/conf/extra/001-certbot.conf
<IfModule mod_ssl.c> <VirtualHost *:443> Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/'domain'/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/'domain'/privkey.pem </VirtualHost> </IfModule>
/etc/httpd/conf/httpd.conf
<IfModule mod_ssl.c> Listen 443 </IfModule> Include conf/extra/001-certbot.conf ..
See Apache HTTP Server#TLS for more information.
Webroot
When using the webroot method the Certbot client places a challenge response inside which is used for validation.
The use of this method is recommended over a manual install; it offers automatic renewal and easier certificate management. However the usage of #Plugins may be the preferred since it allows automatic configuration and installation.
Mapping ACME-challenge requests
Management of can be made easier by mapping all HTTP-requests for to a single folder, e.g. /var/lib/letsencrypt.
The path has then to be writable for Cerbot and the web server (e.g. nginx or Apache HTTP Server running as user http):
# mkdir -p /var/lib/letsencrypt/.well-known # chgrp http /var/lib/letsencrypt # chmod g+s /var/lib/letsencrypt
nginx
Create a file containing the location block and include this inside a server block:
/etc/nginx/conf.d/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
Example of a server configuration:
Apache
Create the file :
Including this in :
Obtain certificate(s)
Request a certificate for using as public accessible path:
# certbot certonly --email email@example.com --webroot -w /var/lib/letsencrypt/ -d domain.tld
To add a (sub)domain, include all registered domains used on the current setup:
# certbot certonly --email email@example.com --webroot -w /var/lib/letsencrypt/ -d domain.tld,sub.domain.tld
To renew (all) the current certificate(s):
# certbot renew
See #Automatic renewal as alternative approach.
Manual
If there is no plugin for your web server, use the following command:
# certbot certonly --manual
When preferring to use DNS challenge (TXT record) use:
# certbot certonly --manual --preferred-challenges dns
This will automatically verify your domain and create a private key and certificate pair. These are placed in /etc/letsencrypt/archive/your.domain/ and symlinked from .
You can then manually configure your web server to reference the private key, certificate and full certificate chain in the symlinked directory.
Advanced Configuration
systemd
certbot comes with a systemd , which attempts to renew certificates that expire in less than 30 days. If all certificates are not due for renewal, this service does nothing.
If you do not use a plugin to manage the web server configuration automatically, the web server has to be reloaded manually to reload the certificates each time they are renewed. This can be done by adding to the command . Of course use instead of if appropriate. Additional services can be added to the systemctl command as needed, e.g. .
Enable and start to check for certificate renewal twice a day, including a randomized delay so that everyone's requests for renewal will be spread over the day to lighten the Let's Encrypt server load .
Automatic renewal for wildcard certificates
The process is fairly simple. To issue a wildcard certificate, you have to do it via a DNS challenge request, using the ACMEv2 protocol.
While issuing a certificate manually is easy, it is not straight forward for automation. The DNS challenge represents a TXT record, given by certbot, which has to be set manually in the domain zone file.
You will need to update the zone file upon every renew. To avoid doing that manually, you may use RFC 2136 for which certbot has a plugin packaged in certbot-dns-rfc2136. You will also need to configure your DNS server to allow dynamic updates for TXT records.
Configure BIND for rfc2136
Generate a TSIG secret key:
$ tsig-keygen -a HMAC-SHA512 example-key
and add it in the configuration file:
Restart .
Configure certbot for rfc2136
Create a configuration file for the rfc2136 plugin.
Since the file contains a copy of the secret key, secure it with chmod by removing the group and others permissions.
Test what we did:
# certbot certonly --dns-rfc2136 --force-renewal --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini --server https://acme-v02.api.letsencrypt.org/directory --email example@domain.ltd --agree-tos --no-eff-email -d 'domain.ltd' -d '*.domain.ltd'
If you pass the validation successfully and receive certificates, then you are good to go with automating certbot. Otherwise, something went wrong and you need to debug your setup. It basically boils down to running from now on, see #Automatic renewal.