certbot

Updated: September 28, 2024

Certbot is used for creating secure socket layer certificates used in authentication. It is free and open source. Brought to all of the world by Letsencrypt.

Install
Arguments
Renew
Cron
Delete
Example
Revert

Before installing the website must be online with open port 80 on a server with sudo access via ssh.

INSTALLING CERTBOT

Check certbot

Raspberry Pi (raspbian)

sudo apt install certbot python-certbot-apache  # for apache
sudo apt install certbot python-certbot-nginx   # for nginx
certbot --apache -d     # use apache plugin to install

Common Options (arguments)

    --apache        # Use apache plugin for authentication and installation.
    --nginx         # Use nginx plugin for authentication and inatallation.
    --webroot       # Places files in a server webroot folder for authentication.
    --dry-run       # Test "renew" | "certonly" without saving certs to disk.
    --agree-tos     # Agree to acme's terms of service.
    --redirect      # Auto redirect all HTTP traffic to HTTPS
    --hsts          # Add teh Strict-Transport-Security header to every HTTP response.

    -h              # Help
    -d              # Domain names to apply
    -w              # Domain path for corresponding -d eg. /var/www/.../..
    --reuse-key     # Keep same private key
    --rsa-key-size <4096>   # Choose size of encryption, default is 2048.
    -n              # Run non-interactively. (useful in cron)

Renew Certificates

Once setup renewing should be easy. Just open back up port 80 for the location of the certs and run certbot renew then close 80 again.

renew           # Renews all certificates
    --force-renewal   # renew certs even if they are not near expiring.
    --pre-hook  # Command to run before obtaining any certs. (intended for renewal)
    --post-hook # Command to run after attempting/renewing certs.
    --deploy-hook # Command to be run for each successfully issued cert.
    --no-autorenew # turn off auto renewal of certs.

Manage Certificates

certificates        # List certificates managed by certbot
revoke              # revoke a cert (supply --cert-path or --cert-name)
delete              # Clean up all files related to a certificate

Manage Let’s Encrypt Account

register            # Create a Let's Encrypt ACME account
update_account      # Update a Let's Encrypt ACME account
--agree-tos         # Agree to ACME server subscriber agreement
-m <email>          # Email address for account notifications

CRON

Used for automatically renewing certificates. The command to renew certbot is installed in on of the following places.

/etc/crontab/

/etc/cron.*/*

systemctl list-timers

# cron job that runs at 4:44 am
44 4 * * * certbot renew -n --rsa-key-size 2048 --post-hook 'systemctl restart nginx'

DELETING CERTIFICATES

sudo certbot delete   # Brings up list selector, then deletes what you select.
sudo certbot delete --cert-name d3c3p7.com    # if above does not work.

EXAMPLE

sudo certbot certonly --webroot -w /var/www/www.example.com -d www.example.com -d example.com
sudo certbot certonly --webroot -w /var/www/mail.example.com -d mail.example.com

OTHER THOUGHTS

certbot renrew --dry-run
sudo certbot renew --force-renewal --rsa-key-size 2048

certbot --authenticator standalone --installer nginx -d www.d3c3p7.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

REVERTING CERTBOT

certbot --nginx rollback <n>   # Rollback n changes.