Difference between revisions of "Certbot"

Revision as of 01:16, 25 March 2026

Prerequisites

Installing Certbot

Add the EPEL repo:

sudo dnf install epel-release

Install Certbot:

sudo dnf install cerbot

Verify Certbot is installed:

certbot -v

Obtaining a Certificate using Certbot

Using The Apache Plugin

sudo certbot --apache

Using The Nginx Plugin

sudo certbot --nginx

Using The Standalone Mode

Note: While the standalone mode is web-server agnostic, it will require that the web-server service be deactivated so that port 80 is available for certbot to use.

sudo certbot certonly --standalone -d domainname.com -d www.domainname.com

Automating Certificate Renewal Using Systemd

Certificates from Certbot are valid for a few months, but will need to be renewed regularly for HTTPS to continue to be served from the servers.

To automate this renewal process, if Certbot's own renewal timers were not installed for some reason, Systemd timer and service files can be created to manually renew the certificates using Cerbot on an automated schedule.

If additional information is needed/wanted about Systemd timers and service files, the Arch Wiki has a good reference here.

Certbot Systemd Timer File

This file should be created here:

/etc/systemd/system/certbot-renewal.timer

And it should contain the following:

[Unit]
Description=Run Certbot renewal periodically
Documentation=https://certbot.eff.org/docs/using.html#renewal

[Timer]
# Run daily at midnight
OnCalendar=*-*-* 00:00:00
# Also run 12 hours later
OnCalendar=*-*-* 12:00:00
# Randomize start time slightly to prevent thundering herd
RandomizedDelaySec=3600
# Persist across reboots
Persistent=true

[Install]
WantedBy=timers.target

Certbot Systemd Service File

The Systemd service file should be created here:

/etc/systemd/system/certbot-renewal.service

And the service file should contain the following:
 <nowiki>[Unit]
Description=Certbot Certificate Renewal
Documentation=https://certbot.eff.org/docs/using.html#renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet
User=root
Group=root

Enabling And Starting The Certbot Systemd Timer File

Reload Systemd

Reload systemd to recognize the new unit files that were created:

sudo systemctl daemon-reload

Enable The Timer File

Enable the timer file so that it is started on every boot:

sudo systemctl enable certbot-renewal.timer

Start the timer manually if it is not already started:

sudo systemctl start certbot-renewal.timer

Verify Timer is Active

Verify that the timer is started (active) and enabled:

sudo systemctl status certbot-renewal.timer

Alternatively, list all active timers:

sudo systemctl list-timers

Or check a specific timer's details:

systemctl list-timers --all | grep certbot

Or to view the next scheduled run for a particular timer:

systemctl list-timers | grep certbot

Testing The Service File Manually

Perform a Test Run

To trigger a manual run of the Certbot renewal service:

sudo systemctl start certbot-renewal.service

If the service was executed successfully, there should not be any errors or serious warnings in the output of the above command.

Review The Test Run

To check if the Certbot renewal service was executed successfully:

sudo systemctl status certbot-renewal.service

Again, if the service was executed successfully, there should not be any errors or serious warnings included in the brief logs output by the above command.

Special Considerations

Reverse-Proxy Setup

If the server(s) the certificates are for are located "behind" a reverse-proxy server, install and run Certbot (and the certificates) on the reverse-proxy server instead of locally on the intended server(s). Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.

After Certificates Are Installed on Reverse-Proxy

Be sure to update the reverse proxy config file likely located at:

/etc/nginx/conf.d/reverse-proxy.conf

To include the below:

server {
    listen 443 ssl http2; #This is required or it will not function
    server_name domainname.com;

    ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
}

This is required for the proxy to accept incoming HTTPS requests and to know where the associated certificates are located for particular domains on your other hosts.

If HTTP > HTTPS redirecting is desired, so that HTTP requests are redirected as HTTPS requests, include the below as well in the same reverse proxy config file:

server {
    listen 80;
    server_name domainname.com;
    return 301 https://$server_name$request_uri;
}

@@ Line 76: / Line 76: @@
-=== Enabling and Starting The Certbot Systemd Timer File ===
+=== Enabling And Starting The Certbot Systemd Timer File ===
+==== Reload Systemd ====
 Reload systemd to recognize the new unit files that were created:
   <nowiki>sudo systemctl daemon-reload</nowiki>
+==== Enable The Timer File ====
 Enable the timer file so that it is started on every boot:
   <nowiki>sudo systemctl enable certbot-renewal.timer</nowiki>
@@ Line 86: / Line 88: @@
   <nowiki>sudo systemctl start certbot-renewal.timer</nowiki>
+==== Verify Timer is Active ====
 Verify that the timer is started (active) and enabled:
   <nowiki>sudo systemctl status certbot-renewal.timer</nowiki>
+Alternatively, list all active timers:
-Verifying The Timer:
-# List all active timers
   <nowiki>sudo systemctl list-timers</nowiki>
-# Check specific timer details
+Or check a specific timer's details:
   <nowiki>systemctl list-timers --all | grep certbot</nowiki>
-# View next scheduled run
+Or to view the next scheduled run for a particular timer:
   <nowiki>systemctl list-timers | grep certbot</nowiki>
-Testing The Service File Manually:
+=== Testing The Service File Manually ===
-# Trigger a dry-run renewal
+==== Perform a Test Run ====
+To trigger a manual run of the Certbot renewal service:
   <nowiki>sudo systemctl start certbot-renewal.service</nowiki>
+If the service was executed successfully, there should not be any errors or serious warnings in the output of the above command.
-# Check if it executed successfully
+==== Review The Test Run ====
+To check if the Certbot renewal service was executed successfully:
   <nowiki>sudo systemctl status certbot-renewal.service</nowiki>
+Again, if the service was executed successfully, there should not be any errors or serious warnings included in the brief logs output by the above command.
-Special Note:
+== Special Considerations ==
-If the server the certificates are for is located "behind" a reverse-proxy server, install and run Certbot and the certificates on the reverse-proxy server instead of locally on the intended server. Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.
-Be sure to update the file located at:
+=== Reverse-Proxy Setup ===
+If the server(s) the certificates are for are located "behind" a reverse-proxy server, install and run Certbot (and the certificates) on the reverse-proxy server instead of locally on the intended server(s). '''Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.
+'''
+==== After Certificates Are Installed on Reverse-Proxy ====
+Be sure to update the reverse proxy config file likely located at:
   <nowiki>/etc/nginx/conf.d/reverse-proxy.conf</nowiki>
@@ Line 126: / Line 134: @@
      ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
 }</nowiki>
+This is required for the proxy to accept incoming HTTPS requests and to know where the associated certificates are located for particular domains on your other hosts.
-And if HTTP > HTTPS redirecting is desired, include the below as well in the same file:
+If HTTP > HTTPS redirecting is desired, so that HTTP requests are redirected as HTTPS requests, include the below as well in the same reverse proxy config file:
   <nowiki>server {
      listen 80;