Certbot
Automate SSL/TLS certificate issuance and renewal from Let's Encrypt using Certbot on Nginx and Apache web servers.
- What Certbot Does and When to Use It
- How to Install Certbot
- Core Concepts of Certbot
- ACME Domain Validation Challenges
- Let's Encrypt Certificate Lifecycle
- Common Tasks with Certbot
- How to Issue a Certificate for Nginx with Certbot
- How to Renew All Certificates with Certbot
- Certbot Troubleshooting
- Related Tools and Guides
Certbot is a free, open-source tool that automates the issuance, installation, and renewal of SSL/TLS certificates from Let's Encrypt for Nginx and Apache web servers on Linux.
What Certbot Does and When to Use It
Certbot communicates with the Let's Encrypt Certificate Authority (CA) using the ACME (Automatic Certificate Management Environment) protocol to obtain free, publicly trusted SSL/TLS certificates. Certbot handles the domain validation challenge, downloads the certificate files, configures the web server to use them, and schedules automatic renewal before expiration.
Use Certbot when you need HTTPS for a public-facing website or API. Let's Encrypt certificates are trusted by all major browsers and operating systems. Certbot supports Nginxand Apachewith server-specific plugins that automate the full installation.
Certbot is not the right tool for self-signed development certificates (use OpenSSLinstead), wildcard certificates without DNS API access, or internal services not reachable from the public internet (Let's Encrypt requires domain validation).
How to Install Certbot
=== "Ubuntu (snap)"
```bash
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```=== "Debian (apt)"
```bash
sudo apt install certbot python3-certbot-nginx
```Core Concepts of Certbot
ACME Domain Validation Challenges
Certbot proves domain ownership to Let's Encrypt through validation challenges. The HTTP-01 challenge places a file at
http://{YOUR_DOMAIN}/.well-known/acme-challenge/ and Let's Encrypt fetches it over port 80. The DNS-01 challenge creates a TXT record in DNS — required for wildcard certificates. HTTP-01 is simpler; DNS-01 works when port 80 is blocked.
Let's Encrypt Certificate Lifecycle
Let's Encrypt certificates expire after 90 days. Certbot's
renew command checks all installed certificates and renews those expiring within 30 days. Automatic renewal via systemd timer or
crontabis essential — manual renewal at 90-day intervals is error-prone.
Common Tasks with Certbot
How to Issue a Certificate for Nginx with Certbot
sudo certbot --nginx -d example.com -d www.example.comFor detailed instructions, see How to issue an SSL certificate with Certbot for Nginx.
How to Renew All Certificates with Certbot
sudo certbot renewCertbot Troubleshooting
| Error | Cause | Fix |
|---|---|---|
Some challenges have failed | Port 80 blocked, DNS not propagated, or web server misconfigured | → Full article |
Connection refused during ACME challenge | Nginx/Apache not listening on port 80 or UFWblocking traffic | → Full article |
Too many certificates already issued | Let's Encrypt rate limit of 50 certs per registered domain per week | → Full article |
The requested nginx plugin does not appear to be installed | Certbot installed via snap but nginx plugin installed via apt | → Full article |
Certificate not yet due for renewal | Certificate expires in more than 30 days | → Full article |
Related Tools and Guides
OpenSSLinspects and debugs certificate chains — use it to diagnose Certbot-related certificate issues. Nginxand Apacherequire correct SSL configuration to serve Certbot certificates. Crontabschedules automatic Certbot renewal.