Collections
Let's Encrypt Certificates
Installing Certbot (Linux)

Installing Certbot (Linux)

This article will walk you through installing Certbot on a Debian-based OS. For Domain Control Validation (DCV), we’ll be using Cloudflare; however, many other providers exist.

ℹ️
See lets_linux for an Ansible role which automates this article.

Install snapd

To get the latest version of Certbot it’s recommended that the client be installed from Canonical’s Snap Store. Snap is a package management system that distributes software in a universal, self-contained format.

apt-get install snapd

Run the following command to ensure you have the latest version of snapd installed.

snap install core
snap refresh core

Install certbot

With snapd installed, let’s go ahead and install certbot.

snap install --classic certbot

Create a soft-link to ensure certbot can be found under the $PATH environment variable.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Configure Plugin

Tell certbot that it can trust plugins with root access.

snap set certbot trust-plugin-with-root=ok

Install the Certbot Cloudflare plugin. This plugin provides certbot with the ability to communicate with Cloudflare’s API in order to generate the required DNS entries when Domain Control Validation is requested.

sudo snap install certbot-dns-cloudflare

Provide certbot with the CloudFlare API token which will allow it access to your Cloudflare account via Cloudflare’s API service.

echo "dns_cloudflare_api_token = [token]" > /etc/letsencrpyt/.cloudflare_token

Restrict who can read the API token.

chmod 600 /etc/letsencrypt/.cloudflare_token

Configure LogRotate

Configure logrotate to rotate files within the /var/log/letsencrypt directory.

cat > /etc/logrotate.d/letsencrypt <<EOF
/var/log/letsencrypt/*.log {
    rotate 12
    weekly
    compress
    missingok
}
EOF

Generate Certificate

Certbot is successfully installed and ready for our first certificate. To request a certificate, run the following command. Ensure you replace the -d option with your certificate’s domain and -m with your contact email address.

certbot certonly \
--dns-cloudflare \
--dns-cloudflare-propagation-seconds 60 \
--dns-cloudflare-credentials /etc/letsencrpyt/.cloudflare_token \
-d twobyte.blog \
-m contact@twobyte.blog \
--non-interactive \
--agree-tos

View Certificate

The certificate can be found within /etc/letsencrypt/live/domain_name.

user@host:/$ ls /etc/letsencrypt/live/twobyte.blog/
README  cert.pem  chain.pem  fullchain.pem  privkey.pem
  • privkey.pem is your private key (aka. private certificate).
  • cert.pem is your public certificate.
  • chain.pem is any required intermediary certificate(s) associated with Let’s Encrypt.
  • fullchain.pem is the intermediary certificate(s) and public certificates bundled together in one file.

To view the details of the certificate, use openssl.

openssl x509 -noout -text -in 'cert.pem'

Example of what you can expect:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:18:30:36:d0:e9:9a:e6:c9:ac:8b:f3:81:ab:2d:b2:e9:c0
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E6
        Validity
            Not Before: Mar  12 21:20:41 2025 GMT
            Not After : Jun  10 21:20:40 2025 GMT
        Subject: CN = twobyte.blog
        ...
Installing Posh-ACME (Windows)