# πŸ” Certbot ## πŸ“¦ Install Certbot ```bash sudo apt update sudo apt install certbot python3-certbot-nginx -y ``` *Installs Certbot and the Nginx plugin to automatically manage certificates.* --- ## πŸ–₯️ Method 1 – Standalone Mode ```bash sudo certbot certonly --standalone -d www.example.com ``` πŸ’‘ **Standalone mode** runs its own temporary server for domain verification. * Use if **Nginx is not running** on port 80/443. * Certificates saved in: * `/etc/letsencrypt/live//` β†’ latest version (symlink) * `/etc/letsencrypt/archive//` β†’ all versions --- ## 🌐 Method 2 – Webroot Mode ```bash sudo certbot certonly --webroot -w /var/www/html -d www.example.com ``` πŸ’‘ **Webroot mode** places verification files in your website’s public folder. * `` = Nginx document root * Use if Nginx is running and serving your site. --- ## πŸ› οΈ Method 3 – Nginx Plugin (Auto Configuration) ```bash sudo certbot --nginx -d www.example.com -d example.com ``` πŸ’‘ **Nginx plugin** automatically: * Obtains SSL certificate * Configures HTTPS in Nginx * Adds HTTP β†’ HTTPS redirect * Reloads Nginx --- ## 🌱 Method 4 – Manual DNS Challenge (Wildcard) ```bash sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com ``` πŸ’‘ **DNS challenge** is required for wildcard certificates or if HTTP verification isn’t possible. * Add TXT record as instructed by Certbot * Works even if Nginx is down or port 80 is blocked --- ## ♻️ Renew Certificates ### Automatic Renewal ```bash sudo certbot renew ``` * Renews all certificates nearing expiration ### Force Renewal ```bash sudo certbot renew --force-renewal ``` * Immediately renews certificates, even if not near expiry ### Test Renewal ```bash sudo certbot renew --dry-run ``` * Tests renewal without making changes --- ## πŸ”„ Reload Nginx After Renewal ```bash sudo systemctl reload nginx ``` * Apply new certificates without downtime *Tip:* You can add a **deploy-hook** for automatic reload: ```bash sudo certbot renew --deploy-hook "systemctl reload nginx" ``` --- ## πŸ“… Tips & Best Practices * Certificates expire every **90 days** β€” enable **auto-renewal**. * Keep `/etc/letsencrypt/` **backed up** (contains keys and configs). * Use **staging** for testing to avoid hitting rate limits: ```bash sudo certbot --staging --nginx -d www.example.com ``` * Monitor renewal logs: `/var/log/letsencrypt/letsencrypt.log` --- ✨ **Result:** Fully automated HTTPS for Nginx with Let’s Encrypt certificates. Fast, free, and secure! πŸ”’πŸš€