certbot

Obtain and install TLS/SSL certificates automatically

TLDR

Obtain a new certificate via webroot authorization, but do not install it automatically

$ sudo certbot certonly --webroot [[-w|--webroot-path]] [path/to/webroot] [[-d|--domain]] [subdomain.example.com]

Obtain a new certificate via nginx authorization, installing the new certificate automatically

$ sudo certbot --nginx [[-d|--domain]] [subdomain.example.com]

Obtain a new certificate via apache authorization, installing the new certificate automatically

$ sudo certbot --apache [[-d|--domain]] [subdomain.example.com]

Renew all Let's Encrypt certificates that expire in 30 days or less (don't forget to restart any servers that use them afterwards)

$ sudo certbot renew

Simulate the obtaining of a new certificate, but don't actually save any new certificates to disk

$ sudo certbot --webroot [[-w|--webroot-path]] [path/to/webroot] [[-d|--domain]] [subdomain.example.com] --dry-run

Obtain an untrusted test certificate instead

$ sudo certbot --webroot [[-w|--webroot-path]] [path/to/webroot] [[-d|--domain]] [subdomain.example.com] --test-cert

SYNOPSIS

certbot [global-options...] command [args...]
Examples:
certbot certonly --standalone -d example.com
certbot --apache -d example.com
certbot renew --dry-run

-h, --help
    Show help message and exit.

--version, -v
    Show program's version number and exit.

--debug
    Enable debug logging and more verbose output.

--verbose, -v
    Increase verbosity (use multiple times for more).

--quiet
    Suppress all output except errors.

--non-interactive
    Disable interaction (use with --agree-tos).

--config CONFIG
    Path to custom config file.

--email EMAIL
    Email address for renewal/important notices.

--agree-tos
    Agree to Let's Encrypt terms of service.

--rsa-key-size N
    Key size (2048 default, 4096 recommended).

--test-cert
    Use Let's Encrypt staging server (no limits).

--dry-run
    Test run without making changes.

--keep-until-expiring
    Keep cert until expiry if already valid.

-d DOMAINS, --domains DOMAINS
    Comma-separated domain list for cert.

--webroot -w PATH
    Use webroot authenticator with path.

--webroot-path PATH, -w PATH
    Public webroot path for HTTP challenge.

--authenticator NAME
    Authenticator plugin (e.g., standalone, webroot).

--installer NAME
    Installer plugin (e.g., apache, nginx).

--pre-hook COMMAND
    Command to run before renewal.

--post-hook COMMAND
    Command to run after renewal.

--renew-hook COMMAND
    Command to run only on successful renewal.

DESCRIPTION

Certbot is an open-source tool developed by the Electronic Frontier Foundation (EFF) for automatically obtaining, installing, and renewing free SSL/TLS certificates from Let's Encrypt. It implements the ACME protocol to handle domain validation via challenges like HTTP-01 (using port 80), DNS-01 (TXT records), or TLS-ALPN-01.

Primarily used to secure websites with HTTPS, Certbot integrates seamlessly with web servers such as Apache (mod_ssl) and Nginx through dedicated plugins that configure virtual hosts automatically. In standalone mode, it runs a temporary web server for validation. The certonly subcommand acquires certificates without installation, ideal for manual deployment.

Automatic renewal is a core feature, typically set up via cron jobs, systemd timers, or Certbot's built-in renew cron script. It checks certificates nearing expiry (30 days) and renews them idempotently. Additional capabilities include certificate listing, revocation, deletion, and expansion to new domains.

Certbot requires Python 3 and runs with elevated privileges (sudo) for webroot or installer access. It supports staging environments for testing (--test-cert) to avoid production rate limits. Logs are stored in /var/log/letsencrypt. Widely used on Linux distributions via snaps, APT, YUM, or pip for easy deployment.

CAVEATS

Requires ports 80/443 open for HTTP-01/TLS-ALPN-01 challenges; use DNS-01 otherwise. Subject to Let's Encrypt rate limits (50 certs/week/domain). Run as root/sudo for installers. Not compatible with all web servers without plugins. Staging (--test-cert) certs invalid for production.

SUBCOMMANDS

certonly: Obtain cert without installing.
renew: Renew due certificates.
certificates: List all certificates.
delete: Revoke/delete cert.
revoke: Revoke cert.
register: Register account.
plugins: List plugins.

INSTALLATION

Preferred: snap install --classic certbot. Or OS repos: apt/yum install certbot. Auto-setup: certbot --apache detects/configures.

HISTORY

Originally launched in 2015 as letsencrypt-auto, Certbot became the reference ACME client for Let's Encrypt's public beta. Developed by EFF, Mozilla, and community since 2016. Snap packaging introduced in 2018 for easier cross-distro use. Active development continues with Python 3 focus, plugin ecosystem growth.