🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Home » Learn » Linux Commands » certbot

certbot Command

Intermediate Firewall & Security man(1)

Lets Encrypt client for obtaining SSL/TLS certificates

👁 12 views 📅 Updated: Mar 15, 2026
SYNTAX
certbot [SUBCOMMAND] [OPTIONS]

What Does certbot Do?

certbot is the Let's Encrypt client that automatically obtains and renews free SSL/TLS certificates. It is the standard tool for adding HTTPS to web servers with minimal effort.

certbot supports automatic configuration for Apache and Nginx, standalone certificate generation, and DNS-based challenges for wildcard certificates. It handles the entire ACME protocol automatically.

certbot can set up automatic renewal via systemd timer or cron, ensuring certificates never expire (Let's Encrypt certificates are valid for 90 days).

Options & Flags

OptionDescriptionExample
--nginx Automatic Nginx configuration certbot --nginx -d example.com
--apache Automatic Apache configuration certbot --apache -d example.com
certonly Obtain certificate without installing certbot certonly --standalone -d example.com
--standalone Use standalone web server for challenge certbot certonly --standalone -d example.com
--webroot Use existing web server for challenge certbot certonly --webroot -w /var/www/html -d example.com
renew Renew all certificates certbot renew
certificates List installed certificates certbot certificates

Practical Examples

#1 Setup Nginx HTTPS

Obtains certificate and automatically configures Nginx.
$ sudo certbot --nginx -d example.com -d www.example.com

#2 Certificate only

Gets certificate without modifying web server config.
$ sudo certbot certonly --standalone -d example.com

#3 Webroot method

Gets certificate using existing web server (no downtime).
$ sudo certbot certonly --webroot -w /var/www/html -d example.com

#4 Wildcard certificate

Gets a wildcard certificate via DNS challenge.
$ sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com"

#5 Renew all certificates

Tests renewal process without actually renewing.
$ sudo certbot renew --dry-run

#6 List certificates

Shows all managed certificates with expiry dates.
$ sudo certbot certificates

Tips & Best Practices

Auto-renewal: certbot installs a systemd timer for auto-renewal. Verify with: systemctl status certbot.timer.
Dry run first: Always test with --dry-run before actual renewal: certbot renew --dry-run. This avoids rate limit issues.
Rate limits: Let's Encrypt has rate limits: 50 certificates per domain per week. Use --dry-run or staging server for testing.

Frequently Asked Questions

How do I get a free SSL certificate?
sudo certbot --nginx -d yourdomain.com. Certbot handles everything: obtaining, installing, and configuring HTTPS.
How do I renew certificates?
certbot renew checks all certificates and renews those expiring within 30 days. It runs automatically via systemd timer.
How do I get a wildcard certificate?
sudo certbot certonly --manual --preferred-challenges dns -d "*.domain.com". Requires DNS TXT record verification.

Related Commands

crontab

Schedule recurring tasks with cron

 openssl

OpenSSL command line tool for cryptography and SSL/TLS

 systemctl

Control the systemd system and service manager

More Firewall & Security Commands

fail2ban-client

Fail2ban client to manage ban rules

 firewall-cmd

firewalld command line client (RHEL/CentOS)

 gpg

GNU Privacy Guard - encrypt and sign data

 iptables

Configure Linux kernel packet filtering firewall rules

 md5sum

Compute and verify MD5 message digests

 nft

nftables command line tool (modern firewall)

 openssl

OpenSSL command line tool for cryptography and SSL/TLS

 sha256sum

Compute and verify SHA-256 message digests

 shred

Securely overwrite and optionally delete files

 ufw

Uncomplicated Firewall - easy iptables management
cd Command 📋 All Commands chage Command →

Master Linux with Professional eBooks

Curated IT eBooks covering Linux, DevOps, Cloud, and more

Browse Books →