Certbot
1. What is Certbot?
Certbot is a client application for Let’s Encrypt that helps users automatically obtain and install SSL/TLS certificates for their web servers. It simplifies the process of transitioning websites from HTTP to HTTPS by handling the creation, validation, issuance, and renewal of certificates.
Key Features:
- Free Certificates: Certbot works with Let’s Encrypt, a free CA, to obtain free SSL/TLS certificates.
- Automation: Certbot automates the process of obtaining and renewing certificates, ensuring that HTTPS is always enabled.
- Integration with Web Servers: Certbot can automatically configure popular web servers (e.g., Apache, Nginx) to use SSL.
- Cross-Platform: Certbot works on most Unix-based systems (e.g., Linux, macOS), as well as Windows.
2. How SSL/TLS Certificates Work
SSL/TLS certificates enable secure HTTPS connections by encrypting data exchanged between clients (e.g., browsers) and servers.
The process involves: - Public/Private Key Pair: A certificate is a public key associated with a domain name. The server holds the private key, and the client encrypts messages using the public key, ensuring only the server can decrypt them. - Certificate Validation: Certbot verifies the ownership of the domain for which the certificate is requested. - Certificate Expiry: Let’s Encrypt certificates are valid for 90 days. Certbot can be set to automatically renew them.
3. How Certbot Works
Certbot works through a challenge-response process where Let’s Encrypt validates that you control the domain for which you’re requesting the certificate. The most common validation method is HTTP-01 challenge.
HTTP-01 Challenge: Certbot temporarily creates a special file on your web server that Let’s Encrypt checks over HTTP. If Let’s Encrypt can access the file, the challenge is completed successfully, and the certificate is issued.
DNS-01 Challenge: For wildcard certificates or in some special configurations, Certbot may use a DNS challenge where it verifies ownership by checking a DNS TXT record.
Once Certbot obtains the certificate, it configures your web server to use it, ensuring a secure HTTPS connection.
4. Installation of Certbot
Certbot can be installed on most operating systems, and it integrates well with popular web servers such as Apache and Nginx.
a. Installation on Ubuntu/Debian (Nginx)
Add Certbot’s PPA (Personal Package Archive):
sudo apt update sudo apt install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt updateInstall Certbot for Nginx:
sudo apt install certbot python3-certbot-nginx
b. Installation on CentOS/RHEL (Nginx)
Enable EPEL repository:
sudo yum install epel-releaseInstall Certbot for Nginx:
sudo yum install certbot python3-certbot-nginx
c. Installation on Windows
Certbot can also be installed on Windows through the official Certbot repository.
d. Docker Installation
Certbot can be run as a Docker container:
docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly --nginx5. Obtaining and Installing SSL Certificates with Certbot
Once Certbot is installed, you can use it to obtain and install SSL certificates for your domain.
a. Nginx Auto-Configuration
Certbot can automatically obtain a certificate and configure Nginx for HTTPS:
Run the Certbot command for Nginx:
sudo certbot --nginxCertbot will prompt you to enter your email, agree to the terms, and select the domain names for which you want to obtain certificates.
Certbot will automatically update your Nginx configuration to use the new certificates, and your site will be accessible via HTTPS.
b. Apache Auto-Configuration
If you’re using Apache, the process is similar:
Install Certbot for Apache:
sudo apt install python3-certbot-apacheObtain and configure certificates:
sudo certbot --apache
c. Manual Mode
If you’re using a web server that Certbot doesn’t support for automatic configuration, or if you want to handle installation manually, you can use Certonly mode:
sudo certbot certonly --manualCertbot will provide instructions on setting up the challenge (e.g., placing a file on your server or configuring DNS), and once validated, it will generate the certificate files in /etc/letsencrypt/live.
6. Auto-Renewal of Certificates
Let’s Encrypt certificates expire after 90 days, but Certbot can be configured to automatically renew them.
a. Automatic Renewal
Certbot installs a cron job or systemd timer that checks your certificates regularly and renews them if they’re nearing expiration. You can check whether the renewal service is active by running:
systemctl list-timers | grep certbotb. Testing Auto-Renewal
You can simulate the renewal process to ensure it works:
sudo certbot renew --dry-runIf successful, Certbot will automatically renew certificates before they expire.
c. Manual Renewal
If you prefer to renew certificates manually, you can use the following command:
sudo certbot renew7. Wildcard Certificates
Wildcard certificates allow you to secure multiple subdomains with a single certificate. For example, a wildcard certificate for *.example.com would cover www.example.com, api.example.com, etc.
Certbot supports obtaining wildcard certificates using the DNS-01 challenge, which requires adding a DNS TXT record to your domain’s DNS settings.
Obtaining a Wildcard Certificate:
Run Certbot in manual mode with the DNS challenge:
sudo certbot certonly --manual --preferred-challenges dns -d *.example.com -d example.comCertbot will instruct you to create a TXT record in your DNS with a specified value. After adding the DNS record, Certbot will verify it and issue the wildcard certificate.
8. Certbot Commands Overview
Certbot offers various commands for obtaining, renewing, and managing certificates:
Obtain and Install Certificate (Nginx/Apache):
sudo certbot --nginx # For Nginx sudo certbot --apache # For ApacheObtain Certificate without Web Server Configuration:
sudo certbot certonly --manualRenew All Certificates:
sudo certbot renewSimulate Renewal for Testing:
sudo certbot renew --dry-runList All Certificates:
sudo certbot certificatesRevoke a Certificate:
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/fullchain.pemDelete a Certificate:
sudo certbot delete --cert-name example.com
9. Certbot with DNS API for Automatic DNS-01 Challenge
For fully automating wildcard certificate issuance or using the DNS-01 challenge, Certbot integrates with DNS providers via their APIs. You’ll need credentials (API keys) for your DNS provider.
Here’s an example of how to use Certbot with the Cloudflare DNS API:
Install the Cloudflare plugin:
sudo apt install python3-certbot-dns-cloudflareUse the DNS challenge with Cloudflare:
sudo certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials /path/to/your/cloudflare.ini \ -d example.com \ -d *.example.com
10. Certbot Advanced Configuration
Certbot provides additional flexibility for different use cases:
a. Custom Webroot
You can specify a custom webroot directory to place the validation challenge file for HTTP-01 challenges:
sudo certbot certonly --webroot -w /var/www/html -d example.comb. Using Hooks
Certbot allows you to run custom commands during certificate issuance or renewal using hooks. Hooks can be used to restart services or perform actions after a successful
renewal.
- Pre-Hook: Runs before obtaining or renewing a certificate.
- Post-Hook: Runs after the certificate is obtained.
- Renew-Hook: Runs after every renewal.
Example of a renewal hook to reload Nginx:
sudo certbot renew --deploy-hook "systemctl reload nginx"c. Staging Environment
You can use Certbot’s staging environment to test the issuance process without hitting Let’s Encrypt’s rate limits:
sudo certbot --staging --nginx11. Managing Multiple Domains
Certbot allows you to manage certificates for multiple domains, even combining multiple domain names in a single certificate.
Issue a Multi-Domain Certificate:
sudo certbot --nginx -d example.com -d www.example.com -d blog.example.comThis will issue a certificate that covers all specified domains.
12. Certbot for Other Web Servers
Although Certbot offers automated configuration for Nginx and Apache, you can use it with other web servers (e.g., Caddy, HAProxy, Lighttpd) by using certonly mode and manually configuring the certificate.
Example for HAProxy:
Obtain the certificate:
sudo certbot certonly --standalone -d example.comConfigure HAProxy to use the generated certificate:
bind *:443 ssl crt /etc/letsencrypt/live/example.com/fullchain.pem
13. Certbot Logging
Certbot logs its actions to /var/log/letsencrypt/. This directory contains detailed logs about every certificate issuance or renewal attempt, which can be helpful for debugging or reviewing the certificate process.
14. Rate Limits
Let’s Encrypt imposes rate limits to prevent abuse:
- Certificates per Registered Domain: You can issue a maximum of 50 certificates per domain per week.
- Duplicate Certificate Limit: 5 duplicate certificates for the same domain set per week.
- Account Limits: Each account can create up to 300 new orders per 3 hours.
You can check Let’s Encrypt’s official rate limits documentation for detailed information: Let’s Encrypt Rate Limits.
15. Certbot Security Considerations
a. Private Key Security
The private key for your certificates is stored in /etc/letsencrypt/live/domain_name/privkey.pem. Ensure that this directory is accessible only to root and the necessary services to prevent unauthorized access.
b. Firewall Configuration
Ensure that your firewall allows incoming traffic on port 80 (for the HTTP-01 challenge) and port 443 for HTTPS.