Note:
Certbot is meant to be run on the server where your website is hosted. If you don't have administrative shell access to your webserver or you're not familiar with command line server administration, you should check if your hosting provider has built-in Let's Encrypt support by contacting them or checking this list of supporting providers.
Install
Certbot is packaged in EPEL (Extra Packages for Enterprise Linux). To use Certbot, you must first enable the EPEL repository. On RHEL or Oracle Linux, you must also enable the optional channel.
Note:
If you are using RHEL on EC2, you can enable the optional channel by running:
$ yum -y install yum-utils $ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
After doing this, you can install Certbot by running:
Installing DNS plugins
Certbot's DNS plugins are available for your system. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. To use one of these plugins, you must have configured DNS for the domain you want to obtain a certificate for with a DNS provider that Certbot has a plugin for. A list of these plugins and more information about using them can be found here. To install one of these plugins, run the installation command above but replace certbot python2-certbot-nginx with python2-certbot-dns-PLUGIN, where PLUGIN is the name of the plugin you want to install. For instance, for the RFC2136 plugin this would be python2-certbot-dns-rfc2136.
Get Started
Certbot has an Nginx plugin, which is supported on many platforms, and automates certificate installation.
Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonlysubcommand:
If you want to obtain a wildcard certificate using Let's Encrypt's new ACMEv2 server, you'll also need to use one of Certbot's DNS plugins. To do this, make sure the plugin for your DNS provider is installed using the instructions above and run a command like the following:
You'll need to replace dns-plugin with the name of the DNS plugin you want to use. You may also need to provide additional flags such as the path your API credentials as described in the documentation for the DNS plugin linked above.
To learn more about how to use Certbot read our documentation.Automating renewal
Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
An example cron job might look like this, which will run at noon and midnight every day:
More detailed information and options about renewal can be found in the full documentation.