HxHippy

Let's Encrypt with Certbot

Free SSL certificates with Let's Encrypt and automatic renewal.

Last updated: 2025-01-15

Install Certbot

Debian/Ubuntu

sudo apt update
sudo apt install certbot python3-certbot-nginx

RHEL/CentOS

sudo dnf install epel-release
sudo dnf install certbot python3-certbot-nginx

FreeBSD

pkg install py39-certbot py39-certbot-nginx

Obtain Certificate

# Automatic (recommended)
sudo certbot --nginx -d example.com -d www.example.com

# Manual (webroot)
sudo certbot certonly --webroot -w /var/www/html -d example.com

# Standalone (stops nginx temporarily)
sudo certbot certonly --standalone -d example.com

Certificate Locations

/etc/letsencrypt/live/example.com/
├── fullchain.pem   # Certificate + intermediate
├── privkey.pem     # Private key
├── cert.pem        # Certificate only
└── chain.pem       # Intermediate certificate

Nginx Configuration

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Include Certbot's recommended settings
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

Automatic Renewal

# Test renewal
sudo certbot renew --dry-run

# Renewal runs automatically via cron/systemd timer
# Check timer status
sudo systemctl status certbot.timer

# Manual renewal
sudo certbot renew

Renewal Hooks

# /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
#!/bin/bash
systemctl reload nginx

Wildcard Certificates

# Requires DNS validation
sudo certbot certonly --manual --preferred-challenges=dns \
  -d example.com -d *.example.com

# Or with DNS plugin (e.g., Cloudflare)
sudo certbot certonly --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  -d example.com -d *.example.com

Troubleshooting

# View certificate info
sudo certbot certificates

# Check expiry
openssl x509 -dates -noout -in /etc/letsencrypt/live/example.com/cert.pem

# Force renewal
sudo certbot renew --force-renewal -d example.com

# Revoke certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
beginner SSL/TLS Updated 2025-01-15
  • nginx
  • ssl
  • letsencrypt
  • certbot
  • free certificate
  • https