radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
564fa3c97fc8f696e4f8d0b3ff79886b6d3dc55b
my-docs/Web-Servers/CertBot/certbot.md
RadinPirouz e65d9f4380 update certbot doc
2025-10-07 23:18:48 +03:30

2.6 KiB
Raw Blame History

🔐 Certbot

📦 Install Certbot

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Installs Certbot and the Nginx plugin to automatically manage certificates.

🖥️ Method 1 Standalone Mode

sudo certbot certonly --standalone -d www.example.com

💡 Standalone mode runs its own temporary server for domain verification.

  • Use if Nginx is not running on port 80/443.

  • Certificates saved in:

    • /etc/letsencrypt/live/<domain>/ → latest version (symlink)
    • /etc/letsencrypt/archive/<domain>/ → all versions

🌐 Method 2 Webroot Mode

sudo certbot certonly --webroot -w /var/www/html -d www.example.com

💡 Webroot mode places verification files in your websites public folder.

  • <path> = Nginx document root
  • Use if Nginx is running and serving your site.

🛠️ Method 3 Nginx Plugin (Auto Configuration)

sudo certbot --nginx -d www.example.com -d example.com

💡 Nginx plugin automatically:

  • Obtains SSL certificate
  • Configures HTTPS in Nginx
  • Adds HTTP → HTTPS redirect
  • Reloads Nginx

🌱 Method 4 Manual DNS Challenge (Wildcard)

sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

💡 DNS challenge is required for wildcard certificates or if HTTP verification isnt possible.

  • Add TXT record as instructed by Certbot
  • Works even if Nginx is down or port 80 is blocked

♻️ Renew Certificates

Automatic Renewal

sudo certbot renew
  • Renews all certificates nearing expiration

Force Renewal

sudo certbot renew --force-renewal
  • Immediately renews certificates, even if not near expiry

Test Renewal

sudo certbot renew --dry-run
  • Tests renewal without making changes

🔄 Reload Nginx After Renewal

sudo systemctl reload nginx
  • Apply new certificates without downtime

Tip: You can add a deploy-hook for automatic reload:

sudo certbot renew --deploy-hook "systemctl reload nginx"

📅 Tips & Best Practices

  • Certificates expire every 90 days — enable auto-renewal.
  • Keep /etc/letsencrypt/ backed up (contains keys and configs).
  • Use staging for testing to avoid hitting rate limits:
sudo certbot --staging --nginx -d www.example.com
  • Monitor renewal logs: /var/log/letsencrypt/letsencrypt.log

Result: Fully automated HTTPS for Nginx with Lets Encrypt certificates. Fast, free, and secure! 🔒🚀

Reference in New Issue View Git Blame Copy Permalink