diff --git a/Web-Servers/CertBot/certbot.md b/Web-Servers/CertBot/certbot.md index 9000c1c..8bd7153 100644 --- a/Web-Servers/CertBot/certbot.md +++ b/Web-Servers/CertBot/certbot.md @@ -1,54 +1,70 @@ -# πŸ” Certbot – SSL Certificate Management Guide +# πŸ” Certbot ## πŸ“¦ Install Certbot ```bash -apt install certbot +sudo apt update +sudo apt install certbot python3-certbot-nginx -y ``` -Installs **Certbot**, the free tool to automatically obtain and manage SSL/TLS certificates from **Let's Encrypt**. +*Installs Certbot and the Nginx plugin to automatically manage certificates.* --- ## πŸ–₯️ Method 1 – Standalone Mode ```bash -certbot certonly --standalone -d www.example.com +sudo certbot certonly --standalone -d www.example.com ``` -πŸ’‘ **Standalone mode** runs its own temporary web server to complete the verification. +πŸ’‘ **Standalone mode** runs its own temporary server for domain verification. -* Use when no web server (Apache/Nginx) is running on the same port. -* Certificates will be saved in: +* Use if **Nginx is not running** on port 80/443. +* Certificates saved in: - * All versions: `/etc/letsencrypt/archive/` - * Latest version (symlink): `/etc/letsencrypt/live/` + * `/etc/letsencrypt/live//` β†’ latest version (symlink) + * `/etc/letsencrypt/archive//` β†’ all versions --- ## 🌐 Method 2 – Webroot Mode ```bash -certbot certonly --webroot --webroot-path -d +sudo certbot certonly --webroot -w /var/www/html -d www.example.com ``` -πŸ“Œ **Webroot mode** places a verification file in your website's public directory. +πŸ’‘ **Webroot mode** places verification files in your website’s public folder. -* `` = your website's document root (e.g., `/var/www/html`) -* Use when your site is already running and accessible. +* `` = Nginx document root +* Use if Nginx is running and serving your site. --- -## πŸ› οΈ Method 3 – Manual DNS Challenge +## πŸ› οΈ Method 3 – Nginx Plugin (Auto Configuration) ```bash -certbot certonly --manual --preferred-challenges dns -d +sudo certbot --nginx -d www.example.com -d example.com ``` -πŸ”Ή **DNS mode** requires you to manually add a TXT record to your domain’s DNS. +πŸ’‘ **Nginx plugin** automatically: -* Best for **wildcard** certificates (`*.example.com`) -* Works even without a running web server. +* Obtains SSL certificate +* Configures HTTPS in Nginx +* Adds HTTP β†’ HTTPS redirect +* Reloads Nginx + +--- + +## 🌱 Method 4 – Manual DNS Challenge (Wildcard) + +```bash +sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com +``` + +πŸ’‘ **DNS challenge** is required for wildcard certificates or if HTTP verification isn’t possible. + +* Add TXT record as instructed by Certbot +* Works even if Nginx is down or port 80 is blocked --- @@ -57,38 +73,58 @@ certbot certonly --manual --preferred-challenges dns -d ### Automatic Renewal ```bash -certbot renew +sudo certbot renew ``` -* Renews all certificates close to expiration. +* Renews all certificates nearing expiration ### Force Renewal ```bash -certbot renew --force-renewal +sudo certbot renew --force-renewal ``` -* Renews certificates **immediately**, even if not expiring soon. +* Immediately renews certificates, even if not near expiry + +### Test Renewal + +```bash +sudo certbot renew --dry-run +``` + +* Tests renewal without making changes --- -## πŸ“… Tips - -* Certificates expire every **90 days** β€” always set up **auto-renew**. -* Test renewal without changes: +## πŸ”„ Reload Nginx After Renewal ```bash -certbot renew --dry-run +sudo systemctl reload nginx ``` -* Restart your web server after renewal to apply new certificates: +* Apply new certificates without downtime + +*Tip:* You can add a **deploy-hook** for automatic reload: ```bash -systemctl restart nginx -# or -systemctl restart apache2 +sudo certbot renew --deploy-hook "systemctl reload nginx" ``` --- -✨ **With Certbot, your HTTPS setup can be fast, free, and automatic!** πŸ”’πŸš€ +## πŸ“… Tips & Best Practices + +* Certificates expire every **90 days** β€” enable **auto-renewal**. +* Keep `/etc/letsencrypt/` **backed up** (contains keys and configs). +* Use **staging** for testing to avoid hitting rate limits: + +```bash +sudo certbot --staging --nginx -d www.example.com +``` + +* Monitor renewal logs: `/var/log/letsencrypt/letsencrypt.log` + +--- + +✨ **Result:** Fully automated HTTPS for Nginx with Let’s Encrypt certificates. Fast, free, and secure! πŸ”’πŸš€ +