Certbot (letsencrypt | letsencrypt-auto)


Certbot is an acme client (Let’s Encrypt CA) (or any other CA) to issue SSL certificates.

Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Before May 2016, Certbot was knwon as:

  • letsencrypt
  • or letsencrypt-auto

Let’s Encrypt started in November 2014 as an initiative created by the Internet Security Research Group (ISRG). The was to create a certificate authority that provides free SSL certificates using an automated process.


  • Certbot runs on Unix-based operating systems
  • you’ll need root or administrator access to your web server to run Certbot.
  • Certbot is meant to be run directly on your web server
  • Only for admin: Certbot allows its user to specify arbitrary file locations and run arbitrary scripts.


A plugin can be:

  • an authenticator
  • or/and an installer

Plugins that do both can be used with the certbot run command, which is the default when no command is specified.

See list of plugin an their challenge at Getting certificates (and choosing plugins)


Authenticators are plugins used with the certonly command to obtain a certificate. The authenticator validates that you control the domain(s) you are requesting a certificate for, obtains a certificate for the specified domain(s), and places the certificate in the /etc/letsencrypt directory on your machine. The authenticator does not install the certificate (it does not edit any of your server’s configuration files to serve the obtained certificate). If you specify multiple domains to authenticate, they will all be listed in a single certificate.


Installers are Plugins used with the install command to install a certificate. These plugins can modify your webserver’s configuration to serve your website over HTTPS using certificates obtained by certbot.


Let’s Encrypt CA issues short-lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.


All generated keys and issued certificates can be found in /etc/letsencrypt/live/domain where domain is the first domain passed in via -d parameter

/etc/letsencrypt/archive and /etc/letsencrypt/keys contain all previous keys and certificates, while /etc/letsencrypt/live symlinks to the latest versions.

All files are PEM-encoded

The following files are available:

  • privkey.pem Private key for the certificate that the server will read to enable TLS/SSL
    • Apache: SSLCertificateKeyFile,
    • Nginx: ssl_certificate_key.
  • fullchain.pem - All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates.
    • Apache >= 2.4.8: SSLCertificateFile,
    • Nginx: ssl_certificate.
  • cert.pem and chain.pem (less common - needs to provide both)
    • cert.pem contains the server certificate by itself,
    • chain.pem contains the additional intermediate certificate in the chain to validate the certificate
    • Apache < 2.4.8 needs these for SSLCertificateFile. and SSLCertificateChainFile, respectively.
    • Nginx: chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses. If you’re using OCSP stapling with Nginx >= 1.3.7,


You can verify the certificate with the following command:

cd /etc/letsencrypt/live/$domain
# then
openssl verify -untrusted  chain.pem -verbose fullchain.pem
openssl verify -untrusted  chain.pem -verbose cert.pem
# or without untrusted by building the full chain
wget  https://letsencrypt.org/certs/trustid-x3-root.pem.txt
cat chain.pem trustid-x3-root.pem.txt > completechain.pem
openssl verify -CAfile completechain.pem -verbose  fullchain.pem


  • untrusted was added because the intermediate letsencrypt certificate is not in the ca certificate but its root well.


fullchain.pem: OK
# or
cert.pem: OK



certbot --help
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path or --cert-name)
    delete          Delete a certificate

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


certbot --help nginx
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the

optional arguments:
  -h, --help            show this help message and exit
                        path to config file (default: /etc/letsencrypt/cli.ini
                        and ~/.config/letsencrypt/cli.ini)
  --https-port HTTPS_PORT
                        Port used to serve HTTPS. This affects which port
                        Nginx will listen on after a LE certificate is
                        installed. (default: 443)

  Nginx Web Server plugin

  --nginx-server-root NGINX_SERVER_ROOT
                        Nginx server root directory. (default: /etc/nginx)
  --nginx-ctl NGINX_CTL
                        Path to the 'nginx' binary, used for 'configtest' and
                        retrieving nginx version number. (default: nginx)


To non-interactively renew *all* of your certificates, run

certbot renew




expand means that you will add a domain to a certificate.


0001 directory

When playing with certbot, you may see the certificate in 0001 directory.


cd /etc/letsencrypt
rm -rf live
rm -rf renewal
rm -rf archive

and rerun your code

Documentation / Reference

Discover More
Ezoic Cloudflare Dns
Advertising - Ezoic Ad Platform (Ez)

Ezoic is an ad platform. a minimum of 10,000 visits per month (not really) More ... ...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Gmail Tls Security
Postfix - TLS (SSL) configuration

Transport Layer Security (TLS, formerly called SSL) with Postfix It provides: certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted:...
What is ACME? Automatic Certificate Management Environment

ACME is a protocol that automates the issuance of domain validated certificate by a certification authority (CA) to an applicant. ACME is simple (It has almost been implemented in pure...

Share this page:
Follow us:
Task Runner