Server

Certbot

What is Certbot?

Certbot is a free, open-source helper that talks to the Let's Encrypt service. It proves that you own a domain, requests a trusted TLS/SSL certificate, places it on your server, and keeps it renewed so your site stays accessible over HTTPS.

Before you start

  • Make sure you control the DNS records for the domain you want to secure.
  • Sign in to the server with administrator (root or sudo) access.
  • If you plan to use the HTTP challenge, temporarily allow incoming traffic on port 80.

Install Certbot

Ubuntu or Debian

sudo apt update
sudo apt install certbot python3-certbot-nginx

Windows Server

  1. Install Miniconda (or the full Anaconda distribution) and create/activate an environment.
  2. Install Certbot inside that environment:
pip install certbot

Request a certificate

Option 1: HTTP-01 challenge

Use this when the domain already points to the server and you can open port 80. Certbot briefly starts a tiny web server to respond to the verification challenge.

sudo certbot certonly --standalone -d example.com

If Nginx is already configured for the domain, Certbot can edit the site block and install the certificate automatically:

sudo certbot --nginx -d example.com

Option 2: DNS-01 challenge

Pick this when port 80 is blocked or the server is not public. Certbot will display a special value that you add as a TXT record in DNS.

sudo certbot certonly --manual --preferred-challenges dns -d example.com

Certificates are stored in /etc/letsencrypt/live/<domain>/. Share the fullchain.pem and privkey.pem files with any services that need them.

Keep certificates renewed

Certificates from Let's Encrypt expire every 90 days. Test the renewal process first:

sudo certbot renew --dry-run

Then schedule the real command daily with cron:

sudo crontab -e

0 0 * * * sudo certbot renew --quiet

Manage certificates

List

sudo certbot certificates

Delete

  1. List certificates and note the Certificate Name.
  2. Remove it:
sudo certbot delete --cert-name <certificate_name>

Generate a Diffie–Hellman parameter file

Some security benchmarks still require a dedicated Diffie–Hellman key for older cipher suites. Generate it once and reference it from your web server configuration.

openssl dhparam -out /etc/ssl/dhparam.pem 2048
Previous
AWS
Next
GitLab