update certbot doc
This commit is contained in:
@@ -1,54 +1,70 @@
|
|||||||
# 🔐 Certbot – SSL Certificate Management Guide
|
# 🔐 Certbot
|
||||||
|
|
||||||
## 📦 Install Certbot
|
## 📦 Install Certbot
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
apt install certbot
|
sudo apt update
|
||||||
|
sudo apt install certbot python3-certbot-nginx -y
|
||||||
```
|
```
|
||||||
|
|
||||||
Installs **Certbot**, the free tool to automatically obtain and manage SSL/TLS certificates from **Let's Encrypt**.
|
*Installs Certbot and the Nginx plugin to automatically manage certificates.*
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 🖥️ Method 1 – Standalone Mode
|
## 🖥️ Method 1 – Standalone Mode
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
certbot certonly --standalone -d www.example.com
|
sudo certbot certonly --standalone -d www.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
💡 **Standalone mode** runs its own temporary web server to complete the verification.
|
💡 **Standalone mode** runs its own temporary server for domain verification.
|
||||||
|
|
||||||
* Use when no web server (Apache/Nginx) is running on the same port.
|
* Use if **Nginx is not running** on port 80/443.
|
||||||
* Certificates will be saved in:
|
* Certificates saved in:
|
||||||
|
|
||||||
* All versions: `/etc/letsencrypt/archive/`
|
* `/etc/letsencrypt/live/<domain>/` → latest version (symlink)
|
||||||
* Latest version (symlink): `/etc/letsencrypt/live/`
|
* `/etc/letsencrypt/archive/<domain>/` → all versions
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 🌐 Method 2 – Webroot Mode
|
## 🌐 Method 2 – Webroot Mode
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
certbot certonly --webroot --webroot-path <path> -d <domain>
|
sudo certbot certonly --webroot -w /var/www/html -d www.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
📌 **Webroot mode** places a verification file in your website's public directory.
|
💡 **Webroot mode** places verification files in your website’s public folder.
|
||||||
|
|
||||||
* `<path>` = your website's document root (e.g., `/var/www/html`)
|
* `<path>` = Nginx document root
|
||||||
* Use when your site is already running and accessible.
|
* Use if Nginx is running and serving your site.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 🛠️ Method 3 – Manual DNS Challenge
|
## 🛠️ Method 3 – Nginx Plugin (Auto Configuration)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
certbot certonly --manual --preferred-challenges dns -d <domain>
|
sudo certbot --nginx -d www.example.com -d example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
🔹 **DNS mode** requires you to manually add a TXT record to your domain’s DNS.
|
💡 **Nginx plugin** automatically:
|
||||||
|
|
||||||
* Best for **wildcard** certificates (`*.example.com`)
|
* Obtains SSL certificate
|
||||||
* Works even without a running web server.
|
* Configures HTTPS in Nginx
|
||||||
|
* Adds HTTP → HTTPS redirect
|
||||||
|
* Reloads Nginx
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🌱 Method 4 – Manual DNS Challenge (Wildcard)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
💡 **DNS challenge** is required for wildcard certificates or if HTTP verification isn’t possible.
|
||||||
|
|
||||||
|
* Add TXT record as instructed by Certbot
|
||||||
|
* Works even if Nginx is down or port 80 is blocked
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -57,38 +73,58 @@ certbot certonly --manual --preferred-challenges dns -d <domain>
|
|||||||
### Automatic Renewal
|
### Automatic Renewal
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
certbot renew
|
sudo certbot renew
|
||||||
```
|
```
|
||||||
|
|
||||||
* Renews all certificates close to expiration.
|
* Renews all certificates nearing expiration
|
||||||
|
|
||||||
### Force Renewal
|
### Force Renewal
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
certbot renew --force-renewal
|
sudo certbot renew --force-renewal
|
||||||
```
|
```
|
||||||
|
|
||||||
* Renews certificates **immediately**, even if not expiring soon.
|
* Immediately renews certificates, even if not near expiry
|
||||||
|
|
||||||
|
### Test Renewal
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo certbot renew --dry-run
|
||||||
|
```
|
||||||
|
|
||||||
|
* Tests renewal without making changes
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 📅 Tips
|
## 🔄 Reload Nginx After Renewal
|
||||||
|
|
||||||
* Certificates expire every **90 days** — always set up **auto-renew**.
|
|
||||||
* Test renewal without changes:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
certbot renew --dry-run
|
sudo systemctl reload nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
* Restart your web server after renewal to apply new certificates:
|
* Apply new certificates without downtime
|
||||||
|
|
||||||
|
*Tip:* You can add a **deploy-hook** for automatic reload:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
systemctl restart nginx
|
sudo certbot renew --deploy-hook "systemctl reload nginx"
|
||||||
# or
|
|
||||||
systemctl restart apache2
|
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
✨ **With Certbot, your HTTPS setup can be fast, free, and automatic!** 🔒🚀
|
## 📅 Tips & Best Practices
|
||||||
|
|
||||||
|
* Certificates expire every **90 days** — enable **auto-renewal**.
|
||||||
|
* Keep `/etc/letsencrypt/` **backed up** (contains keys and configs).
|
||||||
|
* Use **staging** for testing to avoid hitting rate limits:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo certbot --staging --nginx -d www.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
* Monitor renewal logs: `/var/log/letsencrypt/letsencrypt.log`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
✨ **Result:** Fully automated HTTPS for Nginx with Let’s Encrypt certificates. Fast, free, and secure! 🔒🚀
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user