update certbot doc
This commit is contained in:
@@ -1,54 +1,70 @@
|
||||
# 🔐 Certbot – SSL Certificate Management Guide
|
||||
# 🔐 Certbot
|
||||
|
||||
## 📦 Install Certbot
|
||||
|
||||
```bash
|
||||
apt install certbot
|
||||
sudo apt update
|
||||
sudo apt install certbot python3-certbot-nginx -y
|
||||
```
|
||||
|
||||
Installs **Certbot**, the free tool to automatically obtain and manage SSL/TLS certificates from **Let's Encrypt**.
|
||||
*Installs Certbot and the Nginx plugin to automatically manage certificates.*
|
||||
|
||||
---
|
||||
|
||||
## 🖥️ Method 1 – Standalone Mode
|
||||
|
||||
```bash
|
||||
certbot certonly --standalone -d www.example.com
|
||||
sudo certbot certonly --standalone -d www.example.com
|
||||
```
|
||||
|
||||
💡 **Standalone mode** runs its own temporary web server to complete the verification.
|
||||
💡 **Standalone mode** runs its own temporary server for domain verification.
|
||||
|
||||
* Use when no web server (Apache/Nginx) is running on the same port.
|
||||
* Certificates will be saved in:
|
||||
* Use if **Nginx is not running** on port 80/443.
|
||||
* Certificates saved in:
|
||||
|
||||
* All versions: `/etc/letsencrypt/archive/`
|
||||
* Latest version (symlink): `/etc/letsencrypt/live/`
|
||||
* `/etc/letsencrypt/live/<domain>/` → latest version (symlink)
|
||||
* `/etc/letsencrypt/archive/<domain>/` → all versions
|
||||
|
||||
---
|
||||
|
||||
## 🌐 Method 2 – Webroot Mode
|
||||
|
||||
```bash
|
||||
certbot certonly --webroot --webroot-path <path> -d <domain>
|
||||
sudo certbot certonly --webroot -w /var/www/html -d www.example.com
|
||||
```
|
||||
|
||||
📌 **Webroot mode** places a verification file in your website's public directory.
|
||||
💡 **Webroot mode** places verification files in your website’s public folder.
|
||||
|
||||
* `<path>` = your website's document root (e.g., `/var/www/html`)
|
||||
* Use when your site is already running and accessible.
|
||||
* `<path>` = Nginx document root
|
||||
* Use if Nginx is running and serving your site.
|
||||
|
||||
---
|
||||
|
||||
## 🛠️ Method 3 – Manual DNS Challenge
|
||||
## 🛠️ Method 3 – Nginx Plugin (Auto Configuration)
|
||||
|
||||
```bash
|
||||
certbot certonly --manual --preferred-challenges dns -d <domain>
|
||||
sudo certbot --nginx -d www.example.com -d example.com
|
||||
```
|
||||
|
||||
🔹 **DNS mode** requires you to manually add a TXT record to your domain’s DNS.
|
||||
💡 **Nginx plugin** automatically:
|
||||
|
||||
* Best for **wildcard** certificates (`*.example.com`)
|
||||
* Works even without a running web server.
|
||||
* Obtains SSL certificate
|
||||
* Configures HTTPS in Nginx
|
||||
* Adds HTTP → HTTPS redirect
|
||||
* Reloads Nginx
|
||||
|
||||
---
|
||||
|
||||
## 🌱 Method 4 – Manual DNS Challenge (Wildcard)
|
||||
|
||||
```bash
|
||||
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com
|
||||
```
|
||||
|
||||
💡 **DNS challenge** is required for wildcard certificates or if HTTP verification isn’t possible.
|
||||
|
||||
* Add TXT record as instructed by Certbot
|
||||
* Works even if Nginx is down or port 80 is blocked
|
||||
|
||||
---
|
||||
|
||||
@@ -57,38 +73,58 @@ certbot certonly --manual --preferred-challenges dns -d <domain>
|
||||
### Automatic Renewal
|
||||
|
||||
```bash
|
||||
certbot renew
|
||||
sudo certbot renew
|
||||
```
|
||||
|
||||
* Renews all certificates close to expiration.
|
||||
* Renews all certificates nearing expiration
|
||||
|
||||
### Force Renewal
|
||||
|
||||
```bash
|
||||
certbot renew --force-renewal
|
||||
sudo certbot renew --force-renewal
|
||||
```
|
||||
|
||||
* Renews certificates **immediately**, even if not expiring soon.
|
||||
* Immediately renews certificates, even if not near expiry
|
||||
|
||||
### Test Renewal
|
||||
|
||||
```bash
|
||||
sudo certbot renew --dry-run
|
||||
```
|
||||
|
||||
* Tests renewal without making changes
|
||||
|
||||
---
|
||||
|
||||
## 📅 Tips
|
||||
|
||||
* Certificates expire every **90 days** — always set up **auto-renew**.
|
||||
* Test renewal without changes:
|
||||
## 🔄 Reload Nginx After Renewal
|
||||
|
||||
```bash
|
||||
certbot renew --dry-run
|
||||
sudo systemctl reload nginx
|
||||
```
|
||||
|
||||
* Restart your web server after renewal to apply new certificates:
|
||||
* Apply new certificates without downtime
|
||||
|
||||
*Tip:* You can add a **deploy-hook** for automatic reload:
|
||||
|
||||
```bash
|
||||
systemctl restart nginx
|
||||
# or
|
||||
systemctl restart apache2
|
||||
sudo certbot renew --deploy-hook "systemctl reload nginx"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
✨ **With Certbot, your HTTPS setup can be fast, free, and automatic!** 🔒🚀
|
||||
## 📅 Tips & Best Practices
|
||||
|
||||
* Certificates expire every **90 days** — enable **auto-renewal**.
|
||||
* Keep `/etc/letsencrypt/` **backed up** (contains keys and configs).
|
||||
* Use **staging** for testing to avoid hitting rate limits:
|
||||
|
||||
```bash
|
||||
sudo certbot --staging --nginx -d www.example.com
|
||||
```
|
||||
|
||||
* Monitor renewal logs: `/var/log/letsencrypt/letsencrypt.log`
|
||||
|
||||
---
|
||||
|
||||
✨ **Result:** Fully automated HTTPS for Nginx with Let’s Encrypt certificates. Fast, free, and secure! 🔒🚀
|
||||
|
||||
|
||||
Reference in New Issue
Block a user