Certbot

From wikinotes

certbot is a program that automates renewing SSL certificates from let's encrypt. No registration is required, it is dead-simple to use.

For the basics on what SSL certificates are, and how they work - see Ssl certificates .

Documentation

official docs https://certbot.eff.org/docs/

Locations

config
/etc/letsencrypt/renewal renewal config
live (symlinks used in production)
/etc/letsencrypt/live/{yourdomain}/privkey.pem
/etc/letsencrypt/live/{yourdomain}/fullchain.pem
/etc/letsencrypt/live/{yourdomain}/chain.pem
/etc/letsencrypt/live/{yourdomain}/cert.pem
real
/etc/letsencrypt/archive/{yourdomain}/{type}{num}.pem real certificate files, source of symlinks (1-indexed)

Install

You'll need to install the certbot package for your webserver

Ubuntu

sudo apt-get udate
sudo add-apt-repository universe
sudo add-app-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx

Usage

general use

certbot certificates  # list server's certbot certificates (in /etc/letsencrypt/)

revoking certificates

revoking certificates is very important, and a part of your license agreement.

  • if you are no longer using a certificate revoke it
  • if you have reason to believe that a certificate is compromised (website attack), revoke it

Even outside of an attack, this helps you continue to provision SSL certs without interfering with each other

# if cert was generated on this server
certbot revoke --cert-path  /etc/letsencrypt/live/tor1.example.com/cert.pem

# if cert was not generated on this server
certbot revoke --cert-path cert.pem --key-path privkey.pem

Find/Download certificates that have been issued, that you want to revoke: https://crt.sh

Examples

certbot example: nginx non-wildcard, using nginx
certbot example: standalone non-wildcard, no webserver
certbot example: wildcard certificate wildcard