Tran Nghi's Site  - Make notes and share experience

Easy way to gain ssl/tls certificate from Let’s Encrypt with Certbot-auto

This post is also available in: English

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

Method 1: Certbot-Auto script

The certbot-auto wrapper script installs Certbot, obtaining some dependencies from your web server OS and putting others in a python virtual environment. You can download and run it as follows:

[email protected]:~$ wget
[email protected]:~$ chmod a+x ./certbot-auto
[email protected]:~$ ./certbot-auto –help


The certbot-auto download is protected by HTTPS, which is pretty good, but if you’d like to double check the integrity of the certbot-auto script, you can use these steps for verification before running it:

[email protected]:~$ wget -N
[email protected]:~$ gpg2 –recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
[email protected]:~$ gpg2 –trusted-key 4D17C995CD9775F2 –verify certbot-auto.asc certbot-auto

The certbot-auto command updates to the latest client release automatically. Since certbot-autois a wrapper to certbot, it accepts exactly the same command line flags and arguments. For more information, see Certbot command-line options.

For full command line help, you can type:

./certbot-auto –help all


Method 2: Install Certbot-auto (OS-based)

ie: for Ubuntu 16.04 that is running apache

On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

Get Started
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

$ sudo certbot –apache

Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonlysubcommand:

$ sudo certbot –apache certonly

To learn more about how to use Certbot read our documentation.

Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew –dry-run

More detailed information and options about renewal can be found in the full documentation.