Certbot

From Nick's Personal Wiki
Revision as of 00:35, 25 March 2026 by Nick (talk | contribs) (Added plaintext boxes for code snippets)
Jump to navigation Jump to search

This is placeholder text for future editing.

Add the EPEL repo: 

sudo dnf install epel-release


Install Certbot: 

sudo dnf install cerbot
  1. Verify installation
certbot -v


Obtaining a certificate:

  1. Apache plugin
sudo certbot --apache
  1. Nginx plugin
sudo certbot --nginx
  1. Standalone mode
sudo certbot certonly --standalone -d domainname.com -d www.domainname.com



Certbot Timer File Location: 

/etc/systemd/system/certbot-renewal.timer

Certbot Timer File Contents: 

[Unit]
Description=Run Certbot renewal periodically
Documentation=https://certbot.eff.org/docs/using.html#renewal

[Timer]
# Run daily at midnight
OnCalendar=*-*-* 00:00:00
# Also run 12 hours later
OnCalendar=*-*-* 12:00:00
# Randomize start time slightly to prevent thundering herd
RandomizedDelaySec=3600
# Persist across reboots
Persistent=true

[Install]
WantedBy=timers.target



Certbot Service File Location: 

/etc/systemd/system/certbot-renewal.service

Certbot Service File Contents:
 <nowiki>[Unit]
Description=Certbot Certificate Renewal
Documentation=https://certbot.eff.org/docs/using.html#renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet
User=root
Group=root


Enabling and Starting The Timer

  1. Reload systemd to recognize new units
sudo systemctl daemon-reload
  1. Enable the timer (starts on boot)
sudo systemctl enable certbot-renewal.timer
  1. Start the timer immediately
sudo systemctl start certbot-renewal.timer
  1. Verify it's active
sudo systemctl status certbot-renewal.timer


Verifying The Timer:

  1. List all active timers
sudo systemctl list-timers
  1. Check specific timer details
systemctl list-timers --all | grep certbot
  1. View next scheduled run
systemctl list-timers | grep certbot


Testing The Service File Manually:

  1. Trigger a dry-run renewal
sudo systemctl start certbot-renewal.service
  1. Check if it executed successfully
sudo systemctl status certbot-renewal.service


Special Note: If the server the certificates are for is located "behind" a reverse-proxy server, install and run Certbot and the certificates on the reverse-proxy server instead of locally on the intended server. Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.

Be sure to update the file located at: 

/etc/nginx/conf.d/reverse-proxy.conf

To include the below: 

server {
    listen 443 ssl http2; #This is required or it will not function
    server_name domainname.com;

    ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
}

And if HTTP > HTTPS redirecting is desired, include the below as well in the same file: 

server {
    listen 80;
    server_name domainname.com;
    return 301 https://$server_name$request_uri;
}
Retrieved from "https://nlear.xyz/wiki/index.php?title=Certbot&oldid=158"