Skip to main content
HashnodeHong's Tech Blog

Command Palette

Search for a command to run...

Cheatsheet & Examples: certbot

Updated
4 min read
H
Hong

I am a developer from Malaysia. I work with PHP most of the time, recently I fell in love with Go. When I am not working, I will be ballroom dancing :-)

Part of seriesCommon Tasks

certbot is a command-line tool for obtaining and renewing SSL/TLS certificates from Let's Encrypt, automatically configuring web servers, and managing certificate lifecycles.

Obtain a certificate for a single domain

Example Usage:
certbot certonly --standalone -d example.com --email admin@example.com --agree-tos
What it does:
Requests a certificate for a single domain using the standalone plugin (for self-hosted testing), with an email and acceptance of terms.
Command-line Arguments Explained:

  • certonly: Obtains a certificate without automatically configuring a web server.
  • --standalone: Uses a standalone web server for validation (no existing server required).
  • -d example.com: Specifies the domain name for which to obtain the certificate.
  • --email admin@example.com: Provides the email for account registration and notifications.
  • --agree-tos: Automatically agrees to Let's Encrypt's terms of service.

Renew all certificates

Example Usage:
certbot renew --dry-run
What it does:
Tests certificate renewal without making changes, useful for verifying renewal processes.
Command-line Arguments Explained:

  • renew: Renew certificates that are nearing expiration.
  • --dry-run: Simulates renewal without actual certificate changes.

Register an account with Let's Encrypt

Example Usage:
certbot register --email admin@example.com --agree-tos
What it does:
Registers a new Let's Encrypt account using the provided email and terms of service.
Command-line Arguments Explained:

  • register: Creates a new account.
  • --email: Email for account contact.
  • --agree-tos: Accepts the Let's Encrypt terms of service.

Revoke a certificate

Example Usage:
certbot revoke --certificate /etc/letsencrypt/live/example.com/fullchain.pem --email admin@example.com
What it does:
Revokes an existing certificate, requiring the certificate path and account email.
Command-line Arguments Explained:

  • revoke: Deletes a certificate from Let's Encrypt.
  • --certificate: Path to the certificate file (e.g., fullchain.pem).
  • --email: Email associated with the account to authenticate the revocation.

Run interactive setup with Nginx plugin

Example Usage:
certbot --nginx -d example.com -d www.example.com --agree-tos
What it does:
Automatically configures Nginx to use a certificate for specified domains.
Command-line Arguments Explained:

  • --nginx: Uses the Nginx plugin to modify server configurations.
  • -d example.com -d www.example.com: Lists domains to be protected.
  • --agree-tos: Accepts the Let's Encrypt terms of service.

Use DNS challenge for manual domain validation

Example Usage:
certbot certonly --manual --preferred-challenges dns -d example.com
What it does:
Requests a certificate using the DNS validation method, requiring manual DNS record setup.
Command-line Arguments Explained:

  • --manual: Manual interaction for domain validation.
  • --preferred-challenges dns: Chooses DNS-based validation over HTTP.
  • -d example.com: Specifies the domain to verify.

Test certificate issuance without saving it

Example Usage:
certbot certonly --test-cert -d example.com --key-path /path/to/key.pem
What it does:
Obtains a test certificate (not saved to disk) to validate configuration.
Command-line Arguments Explained:

  • --test-cert: Uses a test certificate for validation.
  • -d example.com: Domain name for testing.
  • --key-path: Specifies where to save the private key (optional).

Renew a specific certificate

Example Usage:
certbot renew --cert-name example.com --force-renewal
What it does:
Forces renewal of a specific certificate (e.g., if it's expiring soon).
Command-line Arguments Explained:

  • renew: Renew certificates scheduled for expiration.
  • --cert-name: Identifies the certificate to renew.
  • --force-renewal: Overrides automatic checks and renews regardless of time.

Auto-configure Apache server

Example Usage:
certbot --apache -d example.com --non-interactive
What it does:
Automatically requests a certificate and updates Apache configurations.
Command-line Arguments Explained:

  • --apache: Uses the Apache plugin to modify server settings.
  • -d example.com: Domain to secure.
  • --non-interactive: Runs without prompts, assuming defaults.

Use standalone mode with custom port

Example Usage:
certbot certonly --standalone --port 8080 -d example.com
What it does:
Uses the standalone plugin and specifies a custom port for validation.
Command-line Arguments Explained:

  • --standalone: Runs a temporary web server for validation.
  • --port 8080: Overrides the default port (80/443) for the standalone server.
  • -d example.com: Domain to validate.

Request a certificate with a custom config

Example Usage:
certbot certonly --config /etc/letsencrypt/custom.conf -d example.com
What it does:
Uses a custom configuration file to request a certificate.
Command-line Arguments Explained:

  • --config: Path to a custom configuration file.
  • -d example.com: Domain name.

Display help summary

Example Usage:
certbot --help
What it does:
Shows the main help menu with available commands and options.
Command-line Arguments Explained:

  • --help: Displays usage instructions and command descriptions.

Check certificate status

Example Usage:
certbot certificates
What it does:
Lists all certificates installed on the system and their details.
Command-line Arguments Explained:

  • certificates: Displays installed certificates and their expiration dates.

Run in verbose mode

Example Usage:
certbot --verbose renew
What it does:
Provides detailed logs during certificate renewal for troubleshooting.
Command-line Arguments Explained:

  • --verbose: Increases output verbosity for debugging.

Configure multiple domains at once

Example Usage:
certbot certonly --nginx -d example.com -d blog.example.com
What it does:
Requests a certificate for multiple domains using the Nginx plugin.
Command-line Arguments Explained:

  • --nginx: Applies to Nginx.
  • -d example.com -d blog.example.com: Comma-separated or multiple -d flags for domains.

Auto-configure a web server with a pre-restart hook

Example Usage:
certbot --nginx --pre-hook "systemctl stop nginx" -d example.com
What it does:
Runs a command before restarting the web server during certificate installation.
Command-line Arguments Explained:

  • --pre-hook: Executes a command before the server restart (e.g., stopping services).
  • --nginx: Uses the Nginx plugin.
  • -d example.com: Domain to secure.
#certbot#cheatsheet#cli
99 views

Comments

Join the discussion

No comments yet. Be the first to comment.

Common Tasks

Part 40 of 50

Quick reference for performing common tasks in Linux/Mac OS.

Up next

Cheatsheet & Examples: firewall-cmd

firewall-cmd is a command-line tool for managing firewalld, a dynamic firewall manager for Linux systems. It allows users to configure firewall zones, services, ports, and other rules to control network traffic and security policies. Check if firewal...

More from this blog

Hong's Tech Blog

110 posts

The blog is older than you know. I prefer counting from the emergence of one integral anomaly to the emergence of the next, in which case this is the forth version.