Certbot — Free HTTPS Certificates with Let's Encrypt

Introduction

Certbot is the official client for the ACME protocol, developed by the Electronic Frontier Foundation. It automates the process of obtaining, installing, and renewing TLS certificates from Let's Encrypt, removing the cost and complexity traditionally associated with HTTPS deployment.

What Certbot Does

• Obtains free domain-validated TLS certificates from Let's Encrypt via the ACME protocol
• Automatically configures Nginx, Apache, and other web servers to use the new certificate
• Schedules unattended certificate renewal via systemd timers or cron jobs
• Supports wildcard certificates using DNS-01 challenge with compatible DNS providers
• Provides standalone and manual modes for non-standard server setups

Architecture Overview

Certbot is a Python application that communicates with an ACME-compliant CA (typically Let's Encrypt). It proves domain ownership through HTTP-01 (placing a file on the web server), DNS-01 (creating a TXT record), or TLS-ALPN-01 challenges. Once validated, it downloads the signed certificate and key, then uses server-specific plugins to install them and reload the web server configuration.

Self-Hosting & Configuration

• Install via OS package manager (apt, dnf, yum) or pip; snap package is the recommended method on Ubuntu
• Server plugins (--nginx, --apache) handle automatic installation and configuration
• Use certbot certonly for manual certificate retrieval without touching server config
• Renewal hooks in /etc/letsencrypt/renewal-hooks/ let you restart services or run scripts after renewal
• Rate limits apply: 50 certificates per registered domain per week in production

Key Features

• Zero-cost certificates with automated issuance and renewal
• Server plugins for one-command HTTPS setup on Nginx and Apache
• Wildcard certificate support via DNS-01 challenge
• Built-in renewal system with pre and post hooks for custom workflows
• Widely tested and maintained by the EFF with regular security updates

Comparison with Similar Tools

• acme.sh — pure shell ACME client, lighter weight, no root required by default
• Caddy — web server with automatic HTTPS built in, but replaces your entire server
• Lego — Go-based ACME client with broad DNS provider support, used as a library or CLI
• step-ca — private CA for internal infrastructure, not a public certificate tool
• Traefik — reverse proxy with built-in Let's Encrypt, but serves a different primary role

FAQ

Q: How often do certificates need to be renewed? A: Let's Encrypt certificates are valid for 90 days. Certbot's renewal timer runs twice daily and renews any certificate within 30 days of expiry.

Q: Does Certbot support non-web use cases like mail servers? A: Yes. Use certbot certonly to obtain a certificate, then configure your mail server (Postfix, Dovecot) to reference the certificate files directly.

Q: Can I use Certbot in Docker containers? A: Yes. Official Docker images exist, and Certbot can run in standalone mode or with volume-mounted webroot for HTTP-01 challenges.

Q: What happens if renewal fails? A: Certbot logs errors to /var/log/letsencrypt/. It retries on the next scheduled run. You can also configure email alerts for impending expiration.

Sources

• https://github.com/certbot/certbot
• https://certbot.eff.org/