Sysadmin Technologies

Certbot: New Let’s Encrypt client for easy creation of certificates

Certbot is the new Client from Let’s Encrypt. It’s the successor of the previews letsencrypt-auto Tool. With a simple Webserverconfiguration it’s easy to issue and renew certificates.


with the following commands the tool is downloaded and given the proper rights.

cd /opt
chmod a+x certbot-auto

The folder /opt can be different of course.

If the tool works can be tested with the following command. For the first run some new packages might be installed and the tool itself updated.

/opt/certbot-auto --help

Create and request certificates

If Apache is used as the Webserver and it’s configuration isn’t out of the ordinary, certbot is able to activate https for selected domains automatically. Simply start the tool and check the provided options.


But It’s still wise to create an backup of the apache configuration before hand.

To be sure, you can use certbot to only request the certificates and setup apache manually. The following example requests three domains using a let’s encrypt api module for apache.

/opt/certbot-auto certonly --apache -d -d

If there is an error, your apache configuration might not be suitable for the module. You can still use the webroot method or the standalone mode. Webroot might fail if url rewrites are used by a project.

/opt/certbot-auto certonly --standalone -d -d

For standalone mode your webserver has to be shut down before using certbot.

Renew certificates

With the old clients this was sometimes a difficult task. Quite often a custom script was needed to renew the certificates. But now with certbot in most cases the following command, started manually or via a cronjob, does the job.

/opt/certbot-auto renew

This checks all installed certificates and renews them if neccessary.

If the mode standalone was used, this still fails because the webserver is still running and blocks the port used by certbot to validate the domain. The following command line still does the job

/opt/certbot-auto renew --pre-hook "/etc/init.d/apache2 stop" --post-hook "/etc/init.d/apache2 start"

The –pre-hook and –post-hook option each specifiy a command that is called before and after certificates are renewed. They are not executed if now certificate needs to be renewed.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.