# Certbot — Free HTTPS Certificates with Let's Encrypt > Certbot is the EFF's open-source tool for automatically obtaining and renewing free TLS/SSL certificates from Let's Encrypt, enabling HTTPS on any web server with minimal effort. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: # Certbot — Free HTTPS Certificates with Let's Encrypt ## Quick Use ```bash # Install on Ubuntu/Debian sudo apt install certbot python3-certbot-nginx # Obtain and install a certificate for Nginx sudo certbot --nginx -d example.com -d www.example.com # Test auto-renewal sudo certbot renew --dry-run ``` ## Introduction Certbot is the official client for the ACME protocol, developed by the Electronic Frontier Foundation. It automates the process of obtaining, installing, and renewing TLS certificates from Let's Encrypt, removing the cost and complexity traditionally associated with HTTPS deployment. ## What Certbot Does - Obtains free domain-validated TLS certificates from Let's Encrypt via the ACME protocol - Automatically configures Nginx, Apache, and other web servers to use the new certificate - Schedules unattended certificate renewal via systemd timers or cron jobs - Supports wildcard certificates using DNS-01 challenge with compatible DNS providers - Provides standalone and manual modes for non-standard server setups ## Architecture Overview Certbot is a Python application that communicates with an ACME-compliant CA (typically Let's Encrypt). It proves domain ownership through HTTP-01 (placing a file on the web server), DNS-01 (creating a TXT record), or TLS-ALPN-01 challenges. Once validated, it downloads the signed certificate and key, then uses server-specific plugins to install them and reload the web server configuration. ## Self-Hosting & Configuration - Install via OS package manager (apt, dnf, yum) or pip; snap package is the recommended method on Ubuntu - Server plugins (--nginx, --apache) handle automatic installation and configuration - Use `certbot certonly` for manual certificate retrieval without touching server config - Renewal hooks in `/etc/letsencrypt/renewal-hooks/` let you restart services or run scripts after renewal - Rate limits apply: 50 certificates per registered domain per week in production ## Key Features - Zero-cost certificates with automated issuance and renewal - Server plugins for one-command HTTPS setup on Nginx and Apache - Wildcard certificate support via DNS-01 challenge - Built-in renewal system with pre and post hooks for custom workflows - Widely tested and maintained by the EFF with regular security updates ## Comparison with Similar Tools - **acme.sh** — pure shell ACME client, lighter weight, no root required by default - **Caddy** — web server with automatic HTTPS built in, but replaces your entire server - **Lego** — Go-based ACME client with broad DNS provider support, used as a library or CLI - **step-ca** — private CA for internal infrastructure, not a public certificate tool - **Traefik** — reverse proxy with built-in Let's Encrypt, but serves a different primary role ## FAQ **Q: How often do certificates need to be renewed?** A: Let's Encrypt certificates are valid for 90 days. Certbot's renewal timer runs twice daily and renews any certificate within 30 days of expiry. **Q: Does Certbot support non-web use cases like mail servers?** A: Yes. Use `certbot certonly` to obtain a certificate, then configure your mail server (Postfix, Dovecot) to reference the certificate files directly. **Q: Can I use Certbot in Docker containers?** A: Yes. Official Docker images exist, and Certbot can run in standalone mode or with volume-mounted webroot for HTTP-01 challenges. **Q: What happens if renewal fails?** A: Certbot logs errors to `/var/log/letsencrypt/`. It retries on the next scheduled run. You can also configure email alerts for impending expiration. ## Sources - https://github.com/certbot/certbot - https://certbot.eff.org/ --- Source: https://tokrepo.com/en/workflows/certbot-free-https-certificates-let-s-encrypt-f1784fa4 Author: AI Open Source