Certbot Commands

 

List All Certificats

  • certbot certificates

Delete a Certbot SSL Certificate

This command will offer an index from which you can select the domain name

  • sudo certbot delete

To delete a Certbot certificate by including the domain name in the command like this:

  • certbot delete –cert-name example.com

Issue or Renew an SSL certificate

The –force-renewal, –duplicate, and –expand options control Certbot’s behavior when re-creating a certificate with the same name as an existing certificate. If you don’t specify a requested behavior, Certbot may ask you what you intended.

–force-renewal tells Certbot to request a new certificate with the same domains as an existing certificate. Each domain must be explicitly specified via -d. If successful, this certificate is saved alongside the earlier one and symbolic links (the “live” reference) will be updated to point to the new certificate. This is a valid method of renewing a specific individual certificate.

–duplicate tells Certbot to create a separate, unrelated certificate with the same domains as an existing certificate. This certificate is saved completely separately from the prior one. Most users will not need to issue this command in normal circumstances.

–expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains. With the –expand option, use the -d option to specify all existing domains and one or more new domains.

  • certbot –expand -d existing.com,example.com,newdomain.com
  • certbot –apache -d example.com

Revoking certificates

If your account key has been compromised or you otherwise need to revoke a certificate, use the revoke command to do so. Note that the revoke command takes the certificate path (ending in cert.pem), not a certificate name or domain.

  • certbot revoke –cert-path /etc/letsencrypt/live/CERTNAME/cert.pem

You can also specify the reason for revoking your certificate by using the reason flag. Reasons include unspecified which is the default, as well as keycompromise, affiliationchanged, superseded, and cessationofoperation:

  • ertbot revoke –cert-path /etc/letsencrypt/live/CERTNAME/cert.pem –reason keycompromise

Additionally, if a certificate is a test certificate obtained via the –staging or –test-cert flag, that flag must be passed to the revoke subcommand. Once a certificate is revoked (or for other certificate management tasks), all of a certificate’s relevant files can be removed from the system with the delete subcommand.

Note

If you don’t use delete to remove the certificate completely, it will be renewed automatically at the next renewal event.

Installing Certbot on Ubuntu 20.04

 

Step 1 – Installing Certbot

Certbot is a tool to obtain certificates from Let’s Encrypt and configure on your web server. Snap package is the easist way for installing certbot on Ubuntu system.

Open a terminal and execute below command to install certbot:

sudo snap install --classic certbot 

Step 2 – Generate SSL Certificate

Now, You can request SSL certificates from Let’s encrypt based on the web server.

  1. Apache – The systems running Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request certificate.
    sudo certbot --apache 

    We also use the following to install on a domain.

    sudo certbot - apache -d yourdomain.com
  2. Nginx – For the systems running Nginx web server, use below command to request for the SSL certificates.
    sudo certbot --nginx 
  3. Other Web Server – For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.

    This command will ask you for domain name and document root for the domain.

    sudo certbot certonly --webroot 
  4. No Web Server – The systems have no web server running, can also request a ssl certificate. Below command will ask your for the domain name and start a temporary web server on port 80 to complete the verification.
    sudo certbot certonly --standalone 

In all of the above cases, the domain must be pointed to your server from dns. Also insure that /.well-known/acme-challenge are served by the webserver.

Step 3 – Test SSL

Once the SSL certificate is installed on the web server, visit https://your-domain.com/ in a web browser and look for the SSL lock icon in the URL bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/.

 

Step 4 – Renew SSL Certificate

Let’s encrypt certificates are issues for 3 months only. You can renew certificate before 30 days of expiry. Certbot allows you a hassle free renewal just by running a single command.

Run the below command to renew all the certificates on that system.

sudo certbot renew 

You can also run a dry run without actual renewal. This will help you to test if SSL renewal perform well.

sudo certbot renew --dry-run