AL2Meta

Certbot

Certbot is a free, open-source tool that automatically gets and renews SSL/TLS certificates for your website so it can run over HTTPS 🔒 — without you having to manually buy or install certificates.

In short:

Certbot = HTTPS made easy

What problem does Certbot solve?

Websites need SSL certificates to:

  • Encrypt data (passwords, forms, logins)
  • Avoid browser “Not Secure” warnings
  • Rank better on Google (HTTPS is a ranking signal)

Before Certbot, you had to:

  • Buy a certificate
  • Generate CSRs
  • Install certs manually
  • Remember to renew every year

👉 Certbot automates all of that.

Who provides the certificates?

Certbot talks to Let’s Encrypt, a trusted Certificate Authority (CA) backed by:

  • Mozilla
  • Google
  • Cloudflare
  • EFF

Let’s Encrypt certificates are:

  • ✅ Free
  • ✅ Trusted by all modern browsers
  • ⏱ Valid for 90 days (renewed automatically)

What exactly does Certbot do?

Certbot:

  1. Proves you own the domain
  2. Requests a certificate from Let’s Encrypt
  3. Installs it on your web server (Apache/Nginx)
  4. Sets up auto-renewal
  5. Keeps HTTPS working forever

All with one command.

Common Certbot Usage (Ubuntu)

Apache

sudo certbot --apache

Nginx

sudo certbot --nginx

This will:

  • Detect your site
  • Get a certificate
  • Update server config
  • Enable HTTPS
  • Optionally force HTTPS redirects

Where are certificates stored?

/etc/letsencrypt/live/example.com/

Important files:

  • fullchain.pem → certificate + chain
  • privkey.pem → private key

These are what your web server uses.

How does Certbot prove domain ownership?

It uses ACME challenges:

1️⃣ HTTP-01 (most common)

  • Places a temporary file on your site
  • Let’s Encrypt checks it via HTTP

2️⃣ DNS-01 (for wildcards)

  • Adds a TXT record to DNS
  • Required for *.example.com

3️⃣ TLS-ALPN-01 (advanced)

  • Uses port 443 directly
  • Less common

Why certificates expire every 90 days?

Short-lived certs:

  • Reduce damage if compromised
  • Encourage automation
  • Improve overall internet security

Certbot handles renewal automatically via systemd / cron.

Is Certbot safe?

Yes — it’s:

  • Widely used
  • Open source
  • Audited
  • Backed by the EFF

As long as you:

  • Protect /etc/letsencrypt
  • Don’t expose privkey.pem
  • Use sudo

When should you NOT use Certbot?

You might not need it if:

  • You’re behind Cloudflare (they handle SSL)
  • Your hosting panel already manages SSL
  • You’re using a managed platform (Vercel, Netlify)

Certbot vs Alternatives

ToolPurpose
CertbotServer-based SSL automation
CloudflareEdge SSL + CDN
acme.shLightweight ACME client
Hosting SSLPanel-managed

TL;DR

Certbot is a tool that automatically gets, installs, and renews free HTTPS certificates from Let’s Encrypt for Linux servers.

Leave a Reply