certbot Commands Reference
Essential certbot commands for obtaining and managing Let's Encrypt certificates
🔐 Certificate Issuance
Obtain certificate (automatic webroot detection)
sudo certbot --nginx -d example.com -d www.example.comAutomatically obtains and installs certificate for Nginx. Use --apache for Apache.
Certificate only (no installation)
sudo certbot certonly --nginx -d example.comObtains certificate but doesn't modify web server configuration. Manual installation required.
Standalone mode (stops web server temporarily)
sudo certbot certonly --standalone -d example.comStarts temporary web server on port 80. Requires stopping your web server first.
Webroot mode (existing web server running)
sudo certbot certonly --webroot -w /var/www/html -d example.comPlaces validation files in webroot directory. Web server must be running and serving files.
Multiple domains (SAN certificate)
sudo certbot certonly --nginx \
-d example.com -d www.example.com \
-d blog.example.com -d api.example.comSingle certificate valid for multiple domain names (up to 100).
Wildcard certificate (DNS validation required)
sudo certbot certonly --manual --preferred-challenges dns -d *.example.comRequires manual DNS TXT record creation. Prompts for record value during process.
🌐 DNS Challenge Plugins (Automated)
Cloudflare DNS validation
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
-d *.example.com -d example.comRequires certbot-dns-cloudflare plugin and API credentials file.
Route53 DNS validation (AWS)
sudo certbot certonly --dns-route53 -d *.example.comRequires certbot-dns-route53 plugin and AWS credentials configured.
Google Cloud DNS validation
sudo certbot certonly --dns-google \
--dns-google-credentials ~/.secrets/google.json \
-d *.example.comDigitalOcean DNS validation
sudo certbot certonly --dns-digitalocean \
--dns-digitalocean-credentials ~/.secrets/digitalocean.ini \
-d *.example.com🔄 Certificate Renewal
Renew all certificates
sudo certbot renewAutomatically renews all certificates expiring within 30 days. Safe to run frequently via cron.
Dry run (test renewal without changes)
sudo certbot renew --dry-runTests renewal process without making changes. Always run before setting up automation.
Force renewal (before expiration)
sudo certbot renew --force-renewal⚠️ Warning: Forces renewal even if not near expiration. Rate limits apply.
Renew specific certificate
sudo certbot renew --cert-name example.comRenew with hooks (reload web server)
sudo certbot renew \
--deploy-hook "systemctl reload nginx"Executes command after successful renewal. Use for reloading web servers or services.
Quiet mode (cron-friendly)
sudo certbot renew --quietSuppresses output unless errors occur. Ideal for cron jobs and automation.
📋 Certificate Management
List all certificates
sudo certbot certificatesShows certificate name, domains, expiration date, and file paths.
Delete certificate
sudo certbot delete --cert-name example.comRemoves certificate files but doesn't modify web server configuration.
Revoke certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pemRevokes certificate with Let's Encrypt. Use if private key is compromised.
Revoke and delete certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem \
--delete-after-revokeUpdate certificate (add/remove domains)
sudo certbot certonly --cert-name example.com \
-d example.com -d www.example.com -d blog.example.comReplaces existing certificate with new one containing updated domain list.
⚙️ Installation & Configuration
Install certificate only (no auto-renewal)
sudo certbot install --cert-name example.comInstalls existing certificate into web server configuration.
Show certificate paths
sudo certbot certificatesStandard paths: /etc/letsencrypt/live/DOMAIN/
- cert.pem - Server certificate
- chain.pem - Intermediate certificates
- fullchain.pem - cert + chain (use this for most servers)
- privkey.pem - Private key
Register with custom email
sudo certbot register --email [email protected] --agree-tosUpdate registration email
sudo certbot update_account --email [email protected]Show certbot version
certbot --version🤖 Automation & Cron Jobs
Setup automatic renewal (systemd timer)
# Check if timer is enabled
sudo systemctl status certbot.timer
# Enable timer (done by default on most systems)
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timerModern systems use systemd timers. Check /etc/systemd/system/certbot.timer
Cron job for renewal (legacy systems)
# Run twice daily at random minute
0 0,12 * * * certbot renew --quiet --deploy-hook "systemctl reload nginx"Add to /etc/crontab or sudo crontab -e
Pre and post hooks
sudo certbot renew \
--pre-hook "systemctl stop nginx" \
--post-hook "systemctl start nginx" \
--deploy-hook "systemctl reload nginx"- --pre-hook: Runs before any renewal attempt
- --post-hook: Runs after all renewals
- --deploy-hook: Runs only if renewal succeeded
🔧 Testing & Troubleshooting
Use staging environment (testing)
sudo certbot certonly --nginx --staging -d example.comUses Let's Encrypt staging servers. Certificates won't be trusted but avoids rate limits during testing.
Verbose output for debugging
sudo certbot certonly --nginx -d example.com -vUse -vv for more verbose output.
Check logs
sudo tail -f /var/log/letsencrypt/letsencrypt.logShow configuration
sudo certbot show_accountUnregister account
sudo certbot unregister📌 Important Notes
- 50 certificates per domain per week
- 5 duplicate certificates per week
- Always test with
--stagingfirst
- Let's Encrypt certificates are valid for 90 days
- Renewal recommended at 60 days (certbot default: 30 days)
- Setup automatic renewal to avoid expiration
- Keep certbot updated:
sudo apt update && sudo apt upgrade certbot - Protect private keys: Ensure
/etc/letsencrypt/has correct permissions - Use strong Diffie-Hellman parameters for web servers