1️⃣ Installation & Setup Commands
Install Certbot (recommended way)
sudo apt update
sudo apt install certbot
Installs Certbot core only.
Install Certbot plugin for Apache
sudo apt install python3-certbot-apache
✔ Needed if you use Apache
✔ Enables automatic Apache configuration
Install Certbot plugin for Nginx
sudo apt install python3-certbot-nginx
✔ Needed if you use Nginx
✔ Enables automatic Nginx configuration
Check Certbot version
certbot --version
Shows the installed Certbot version (useful for debugging).
2️⃣ Getting SSL Certificates
Automatic SSL for Apache (recommended)
sudo certbot --apache
✔ Detects virtual hosts
✔ Obtains SSL certificate
✔ Updates Apache config automatically
✔ Sets HTTP → HTTPS redirect (optional)
Automatic SSL for Nginx (recommended)
sudo certbot --nginx
✔ Same as Apache version, but for Nginx
Get certificate only (no auto config)
sudo certbot certonly
✔ Gets certificate
❌ Does NOT change web server config
✔ Useful for custom setups, Docker, reverse proxies
Webroot method (manual config)
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com
✔ Proves domain ownership via web files
✔ Good for shared hosting or custom servers
Standalone mode (no web server running)
sudo certbot certonly --standalone -d example.com
✔ Temporarily starts its own web server
❌ Stops Apache/Nginx during verification
✔ Good for minimal servers or APIs
3️⃣ Multiple Domains & Wildcards
Multiple domains in one cert
sudo certbot -d example.com -d www.example.com -d api.example.com
✔ One certificate for multiple domains
Wildcard certificate (DNS required)
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com"
✔ Covers all subdomains
❌ Requires DNS TXT record
✔ Often used for large systems
4️⃣ Certificate Renewal
Test renewal (dry run)
sudo certbot renew --dry-run
✔ Always run this first
✔ Simulates renewal safely
✔ Confirms automation works
Renew all certificates
sudo certbot renew
✔ Renews certificates close to expiry
✔ Used by cron/systemd automatically
Force renewal (even if not expired)
sudo certbot renew --force-renewal
⚠️ Use carefully (rate limits apply)
5️⃣ Automation & Systemd
Check renewal timer
systemctl list-timers | grep certbot
✔ Confirms auto-renewal is scheduled
Run renewal via systemd
sudo systemctl start certbot.timer
✔ Enables scheduled renewals
Enable timer at boot
sudo systemctl enable certbot.timer
6️⃣ Managing Existing Certificates
List all certificates
sudo certbot certificates
Shows:
- Domains
- Expiry date
- Certificate path
Delete a certificate
sudo certbot delete
✔ Interactive prompt
✔ Useful for cleaning old domains
Reconfigure existing certificate
sudo certbot reconfigure
✔ Change redirect behavior
✔ Switch Apache/Nginx options
Expand certificate (add domain)
sudo certbot certonly --expand -d example.com -d www.example.com -d blog.example.com
✔ Adds domains to existing cert
7️⃣ Debugging & Logs
Verbose output
sudo certbot --verbose
✔ Shows detailed execution steps
View Certbot logs
sudo less /var/log/letsencrypt/letsencrypt.log
✔ First place to check when something fails
Simulate challenge
sudo certbot certonly --dry-run
✔ Tests challenge validation
8️⃣ Configuration & Paths
Default certificate locations
/etc/letsencrypt/live/example.com/
Contains:
fullchain.pem→ certificate + chainprivkey.pem→ private key
Use custom config directory
sudo certbot --config-dir /custom/config --work-dir /custom/work --logs-dir /custom/logs
✔ Useful in containers or advanced setups
9️⃣ Uninstalling Certbot
Remove Certbot
sudo apt remove certbot
Remove configs & certificates
sudo rm -rf /etc/letsencrypt
⚠️ Deletes all certificates permanently
🔟 Most Common Real-World Commands (TL;DR)
| Task | Command |
|---|---|
| Apache auto SSL | sudo certbot --apache |
| Nginx auto SSL | sudo certbot --nginx |
| Renew all certs | sudo certbot renew |
| Test renewal | sudo certbot renew --dry-run |
| List certs | sudo certbot certificates |
| Delete cert | sudo certbot delete |