Install Certbot for Let's Encrypt SSL certificates. One-command install for Ubuntu/Debian (snap), CentOS, Docker, and Windows with common error fixes. This guide covers production-ready installation patterns, plugin setup, and how to avoid version and permission issues.
Certbot Installation Guide
TL;DR: Certbot is the EFF's official ACME client for Let's Encrypt, providing automated SSL/TLS certificate management. Installation method matters: snap packages offer automatic updates and latest features (recommended), distribution packages provide OS-native integration, and Docker deployments enable containerized certificate automation. Proper installation prevents version conflicts, plugin issues, and permission problems in production.
Need help with ACME? Try the Axelspire ACME support chatbot for implementation and troubleshooting.
Quick Install (Choose Your Platform)
Ubuntu/Debian (Recommended - snap method):
CentOS/RHEL 8+:
sudo dnf install certbot
# For nginx plugin:
sudo dnf install python3-certbot-nginx
# For apache plugin:
sudo dnf install python3-certbot-apache
Docker:
docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly --standalone
Windows (PowerShell as Administrator):
# Install Chocolatey first (if not installed):
# https://chocolatey.org/install
choco install certbot
macOS (Homebrew):
** Why use snap?** - Always latest version (auto-updates every 6 hours) - All DNS plugins available - Works on any Linux distro - Official EFF recommendation - Sandboxed and secure
[See detailed installation guide below ↓]
Overview: Foundation for ACME Automation
Certbot installation represents the first step in ACME certificate automation—getting it wrong compounds problems throughout your certificate lifecycle. While installation seems straightforward ("just install a package"), production deployments require understanding installation method trade-offs, plugin availability, version compatibility, and integration with existing infrastructure.
The installation decision: Organizations face three primary installation approaches—snap packages (EFF's recommended method with automatic updates), distribution packages (OS-native with stable but potentially outdated versions), and manual installation (deprecated but necessary for legacy systems). Each method affects update procedures, plugin availability, file system layout, and compatibility with Infrastructure-as-Code tooling.
Why This Belongs in ACME Client Operations
This guide focuses on production-ready installation patterns rather than "quick start" tutorials. While Let's Encrypt documentation shows simple apt install certbot, enterprise environments face complications:
- Multi-distribution standardization: How to install Certbot consistently across Ubuntu, CentOS, Debian, RHEL deployments
- Version pinning: Balancing security updates with stability requirements
- Plugin management: Ensuring nginx/apache/dns plugins are available
- Container deployments: Installing Certbot in Docker, Kubernetes, immutable infrastructure
- Air-gapped environments: Installing without internet access
- Enterprise proxies: Installing through corporate HTTP proxies and artifact repositories
Real-world installation scenario: Your organization operates 50 web servers across 3 cloud providers—25 Ubuntu 22.04 (AWS), 15 CentOS 8 (Azure), 10 RHEL 8 (GCP). Some servers are internet-connected, others are air-gapped. You need consistent Certbot installation across all systems, with automatic updates enabled for internet-connected servers and manual update procedures for air-gapped systems. Your Infrastructure-as-Code (Ansible) must support all three distributions with the same playbook.
Installation Method Comparison
| Method | Auto-Updates | Latest Version | OS Integration | Use Case |
|---|---|---|---|---|
| Snap | Automatic | Always latest | Containerized | Modern systems, recommended |
| Distribution Pkg | Manual (apt/dnf) | May lag behind | Native | Enterprise with strict change control |
| Docker | Image updates | Configurable | Containerized | Immutable infrastructure |
| Manual (certbot-auto) | Deprecated | Frozen | Manual | Legacy systems only |
Recommendation:
- Production (internet-connected): Snap installation
- Enterprise (change control): Distribution packages with update policy
- Containers: Docker with version pinning
- Legacy systems: Distribution packages or manual (last resort)
Related Documentation
This page is part of the Operating ACME Clients section:
- Operating ACME Clients Overview - Section introduction
- Certbot Installation (this page) - Getting Certbot installed
- Certbot Renewal Automation - After installation, set up renewal
- X.509 Certificate Verification - Understanding certificate validation
- DNS-01 Challenge Validation - DNS challenges (requires DNS plugins)
- A Record Configuration - DNS for HTTP-01 validation
Recommended reading order for new Certbot users:
- Certbot Installation (this page) - Start here
- A Record Configuration - Ensure DNS is correct
- Certbot Renewal Automation - Set up automation
- X.509 Certificate Verification - Verify certificates work
For broader context:
- ACME Protocol - Understanding ACME before using Certbot
- Certificate Lifecycle Management - Broader lifecycle operations
- Renewal Automation - Platform-agnostic automation strategies
Problem Statement
Organizations implementing Certbot face installation challenges that affect long-term operational success:
- Version conflicts: Multiple Certbot installations (snap + apt + pip) causing command conflicts and unpredictable behavior
- Missing plugins: Base Certbot installed without nginx/apache/dns plugins, breaking automation scripts
- Update management: Balancing automatic updates (snap) with enterprise change control requirements
- Path issues: Certbot installed but not in system PATH, breaking cron jobs and systemd timers
- Permission errors: Certbot cannot write to
/etc/letsencryptor web roots due to permission restrictions - Firewall blocking: ACME validation fails because ports 80/443 blocked by OS firewall or cloud security groups
- Enterprise proxy: Installation fails in environments requiring HTTP proxy for internet access
- Air-gapped systems: Cannot install from internet repositories without mirror setup
Common installation failure: Administrator runs sudo apt install certbot, believes Certbot is ready, attempts to issue nginx certificate with certbot --nginx, encounters error "unrecognized arguments: --nginx" because python3-certbot-nginx plugin wasn't installed. Certificate issuance fails, manual troubleshooting required.
Architecture
Certbot System Architecture
┌─────────────────────────────────────────┐
│ Certbot Installation │
├─────────────────────────────────────────┤
│ Core Binary │
│ ├─ /snap/bin/certbot (snap) │
│ ├─ /usr/bin/certbot (apt/dnf) │
│ └─ /usr/local/bin/certbot (manual) │
├─────────────────────────────────────────┤
│ Plugins (Authenticators/Installers) │
│ ├─ nginx (python3-certbot-nginx) │
│ ├─ apache (python3-certbot-apache) │
│ ├─ dns-cloudflare │
│ ├─ dns-route53 │
│ └─ standalone (built-in) │
├─────────────────────────────────────────┤
│ Configuration & Data │
│ ├─ /etc/letsencrypt/ (certificates) │
│ ├─ /var/lib/letsencrypt/ (work dir) │
│ └─ /var/log/letsencrypt/ (logs) │
└─────────────────────────────────────────┘
Installation Flow
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Install │────────▶│ Verify │────────▶│ Configure │
│ Certbot │ │ Plugins │ │ Automation │
└─────────────┘ └─────────────┘ └─────────────┘
│ │ │
│ │ │
Snap/Apt certbot systemd timer
packages plugins or cron job
Installation Components:
- Core binary:
certbotcommand-line tool - Plugins: Web server and DNS provider integrations
- Configuration directories:
/etc/letsencrypt,/var/lib/letsencrypt,/var/log/letsencrypt - Systemd timer (snap) or cron job for automatic renewal
Implementation
Recommended: Snap Installation (Current Stable: v2.7.4)
Why Snap is Recommended:
- Automatic security updates from EFF
- Latest Certbot version always available
- Consistent across distributions
- Self-contained (no system Python conflicts)
- Automatic renewal timer configured
Ubuntu 20.04+ / Debian 11+:
# Remove existing Certbot installations (if any)
sudo apt remove certbot
# Install snapd (if not present)
sudo apt update
sudo apt install snapd
# Install core snap (foundation)
sudo snap install core
sudo snap refresh core
# Install Certbot
sudo snap install --classic certbot
# Create system-wide symlink
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Verify installation
certbot --version
# Output: certbot 2.7.4
CentOS 8+ / RHEL 8+ / Rocky Linux / AlmaLinux:
# Enable EPEL repository
sudo dnf install epel-release
# Install snapd
sudo dnf install snapd
# Enable snapd socket
sudo systemctl enable --now snapd.socket
# Create classic snap support symlink
sudo ln -s /var/lib/snapd/snap /snap
# Install Certbot
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Verify
certbot --version
CentOS 7 / RHEL 7 (Snap support limited):
# CentOS 7 snap support is experimental
# Recommended: Use distribution packages instead
sudo yum install epel-release
sudo yum install certbot python2-certbot-nginx
Distribution Package Installation
Ubuntu 20.04 LTS / 22.04 LTS / Debian 11+:
# Update package index
sudo apt update
# Install Certbot with web server plugins
sudo apt install certbot \
python3-certbot-nginx \
python3-certbot-apache
# Verify installation
certbot --version
dpkg -l | grep certbot
# Check available plugins
certbot plugins
CentOS Stream 8+ / RHEL 8+ / Rocky Linux:
# Enable EPEL repository
sudo dnf install epel-release
# Install Certbot with plugins
sudo dnf install certbot \
python3-certbot-nginx \
python3-certbot-apache
# Verify
certbot --version
certbot plugins
CentOS 7 / RHEL 7:
# Enable EPEL
sudo yum install epel-release
# Install Certbot (Python 2 based)
sudo yum install certbot \
python2-certbot-nginx \
python2-certbot-apache
# Note: CentOS 7 uses Python 2, consider upgrading OS
DNS Plugin Installation
Cloudflare DNS Plugin:
# Snap method
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare
# Distribution package method
sudo apt install python3-certbot-dns-cloudflare # Ubuntu/Debian
sudo dnf install python3-certbot-dns-cloudflare # CentOS 8+
# Pip method (if plugins not in repository)
sudo pip3 install certbot-dns-cloudflare
Route53 DNS Plugin:
# Snap
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-route53
# Distribution
sudo apt install python3-certbot-dns-route53
sudo dnf install python3-certbot-dns-route53
Other DNS Plugins:
# Available DNS plugins (install similarly)
certbot-dns-cloudflare
certbot-dns-route53
certbot-dns-google
certbot-dns-azure
certbot-dns-digitalocean
certbot-dns-ovh
certbot-dns-rfc2136 # Generic RFC2136 (BIND nsupdate)
Legacy: Manual Installation (Only for Legacy Systems)
⚠️ Warning: certbot-auto is deprecated since January 2021. Use only when snap and distribution packages are unavailable.
# Download certbot-auto (deprecated)
sudo wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto
sudo chmod a+x /usr/local/bin/certbot-auto
# First run installs dependencies
sudo /usr/local/bin/certbot-auto --version
# Usage (similar to certbot)
sudo /usr/local/bin/certbot-auto certonly --nginx
Enterprise Docker Deployment
Production Dockerfile:
FROM alpine:3.18
# Install Certbot and required tools
RUN apk add --no-cache \
certbot \
py3-pip \
openssl \
bash \
curl
# Install DNS plugins
RUN pip3 install --no-cache-dir \
certbot-dns-cloudflare \
certbot-dns-route53
# Create required directories
RUN mkdir -p /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt
# Copy entrypoint script
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
# Volume for certificate persistence
VOLUME /etc/letsencrypt
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["renew"]
Entrypoint Script (entrypoint.sh):
#!/bin/bash
set -e
case "$1" in
certonly)
exec certbot certonly "${@:2}"
;;
renew)
exec certbot renew --quiet
;;
*)
exec certbot "$@"
;;
esac
Docker Compose Configuration:
version: '3.8'
services:
certbot:
build: ./certbot
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./logs:/var/log/letsencrypt
- ./webroot:/var/www/html
environment:
- CF_API_TOKEN=${CLOUDFLARE_TOKEN}
command: >
certonly
--webroot
-w /var/www/html
-d example.com
--email admin@example.com
--agree-tos
--non-interactive
Kubernetes CronJob for Renewal:
apiVersion: batch/v1
kind: CronJob
metadata:
name: certbot-renewal
spec:
schedule: "0 2 * * *" # Daily at 2 AM
jobTemplate:
spec:
template:
spec:
containers:
- name: certbot
image: certbot/certbot:latest
args:
- renew
- --dns-cloudflare
- --dns-cloudflare-credentials
- /etc/cloudflare/credentials.ini
volumeMounts:
- name: letsencrypt
mountPath: /etc/letsencrypt
- name: cloudflare-creds
mountPath: /etc/cloudflare
readOnly: true
volumes:
- name: letsencrypt
persistentVolumeClaim:
claimName: letsencrypt-pvc
- name: cloudflare-creds
secret:
secretName: cloudflare-credentials
restartPolicy: OnFailure
Common Pitfalls
1. Version Conflicts from Multiple Installations
Problem: Multiple Certbot installations causing command conflicts
# Symptom: Certbot behavior inconsistent
which certbot
# Output: /usr/bin/certbot
# But multiple installations exist:
which -a certbot
# /usr/bin/certbot (snap symlink)
# /usr/local/bin/certbot (manual install)
dpkg -l | grep certbot
# certbot (apt package also installed)
snap list certbot
# certbot installed via snap
Impact: Different versions may use different config directories, causing certificates to "disappear"
Solution: Clean install with single method
# Remove all existing Certbot installations
sudo apt remove certbot python3-certbot-*
sudo snap remove certbot
sudo rm -f /usr/local/bin/certbot-auto
# Verify removed
which -a certbot # Should return nothing
# Fresh install via recommended method
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Verify single installation
which certbot
# /usr/bin/certbot (symlink to /snap/bin/certbot)
2. Missing Web Server Plugin Dependencies
Problem: Installed Certbot but web server plugins not available
# Attempt to use nginx plugin
sudo certbot --nginx -d example.com
# Error: certbot: error: unrecognized arguments: --nginx
Cause: Base package installed without plugin packages
Solution: Install complete plugin set
# Snap method (plugins separate)
sudo snap install --classic certbot
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare # If DNS-01 needed
# Distribution method (explicit plugin packages)
sudo apt install certbot \
python3-certbot-nginx \ # Nginx plugin
python3-certbot-apache \ # Apache plugin
python3-certbot-dns-cloudflare # DNS plugin
# Verify plugins available
certbot plugins
# Should show: nginx, apache, standalone, webroot, dns-cloudflare
3. Snap PATH Configuration Issues
Problem: Certbot not found after snap installation
$ certbot --version
bash: certbot: command not found
# But snap installed successfully
$ snap list certbot
Name Version Rev Tracking Publisher Notes
certbot 2.7.4 3487 latest/stable certbot-eff classic
Cause: /snap/bin not in PATH or symlink missing
Solution: Add to PATH and create symlink
# Add snap bin to PATH
echo 'export PATH="/snap/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc
# Create system-wide symlink
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Verify
which certbot
# /usr/bin/certbot
certbot --version
# certbot 2.7.4
4. Permission Errors During Certificate Operations
Problem: Certbot cannot write to configuration directories
$ certbot certonly --standalone -d example.com
# Error: [Errno 13] Permission denied: '/etc/letsencrypt'
Cause: Running Certbot without sudo
Solution: Use sudo for certificate operations
# WRONG - insufficient permissions
certbot certonly --standalone -d example.com
# CORRECT - run with sudo
sudo certbot certonly --standalone -d example.com
# Verify directory permissions
ls -ld /etc/letsencrypt
# drwx------ 3 root root ... /etc/letsencrypt
Directory Permissions Setup:
# Ensure proper ownership
sudo chown -R root:root /etc/letsencrypt
sudo chmod 700 /etc/letsencrypt
# Create log directory if missing
sudo mkdir -p /var/log/letsencrypt
sudo chmod 755 /var/log/letsencrypt
5. Firewall Blocking ACME Validation
Problem: HTTP-01 validation fails due to firewall blocking port 80
sudo certbot certonly --standalone -d example.com
# Error: Timeout during connect (likely firewall problem)
Solution: Configure firewall to allow HTTP/HTTPS
# UFW (Ubuntu)
sudo ufw status
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
# firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# iptables (manual)
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4
# Cloud provider security groups (AWS, Azure, GCP)
# Add rules allowing inbound TCP 80 and 443 from 0.0.0.0/0
6. Enterprise HTTP Proxy Configuration
Problem: Installation fails behind corporate proxy
# Snap installation fails
sudo snap install --classic certbot
# Error: cannot communicate with store
# Apt installation fails
sudo apt install certbot
# Error: Failed to fetch http://...
Solution: Configure proxy environment variables
# Set proxy for package managers
export http_proxy=http://proxy.company.com:8080
export https_proxy=http://proxy.company.com:8080
export no_proxy=localhost,127.0.0.1,.company.com
# For snap
sudo snap set system proxy.http="http://proxy.company.com:8080"
sudo snap set system proxy.https="http://proxy.company.com:8080"
# For apt (in /etc/apt/apt.conf.d/proxy.conf)
Acquire::http::Proxy "http://proxy.company.com:8080";
Acquire::https::Proxy "http://proxy.company.com:8080";
# For Certbot ACME communication
sudo tee -a /etc/environment << 'EOF'
http_proxy="http://proxy.company.com:8080"
https_proxy="http://proxy.company.com:8080"
EOF
7. Python Version Conflicts
Problem: Certbot requires specific Python version
# CentOS 7 with Python 2.7 (deprecated)
sudo yum install certbot
# Warning: Python 2.7 will not be maintained past 2020
# System has Python 3 but Certbot installed for Python 2
certbot --version
# Uses Python 2.7 (unsupported)
Solution: Use snap (bypasses Python version issues) or upgrade OS
# Option 1: Use snap (recommended)
sudo snap install --classic certbot
# Option 2: Upgrade to CentOS 8+ / RHEL 8+ / Rocky Linux
# (Python 3 based)
# Option 3: Manual Python 3 Certbot installation
sudo pip3 install certbot certbot-nginx certbot-apache
Best Practices
1. Production Deployment Standardization
Single Installation Method Across Fleet
# Choose ONE method for entire infrastructure
# Document in runbook, enforce in automation
# Example: Snap for all Ubuntu/Debian/CentOS 8+ servers
# Ansible playbook ensures consistency
Ansible Playbook for Standardized Installation:
---
- name: Install Certbot via snap (standardized)
hosts: webservers
become: yes
tasks:
- name: Ensure snapd installed
package:
name: snapd
state: present
- name: Install core snap
snap:
name: core
state: present
- name: Refresh core snap
command: snap refresh core
changed_when: false
- name: Install Certbot snap
snap:
name: certbot
classic: yes
state: present
- name: Create Certbot symlink
file:
src: /snap/bin/certbot
dest: /usr/bin/certbot
state: link
- name: Verify Certbot installation
command: certbot --version
register: certbot_version
changed_when: false
- name: Display Certbot version
debug:
msg: "Certbot {{ certbot_version.stdout }} installed successfully"
2. Plugin Management Strategy
Install All Required Plugins During Initial Setup
# Snap method - install plugins upfront
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare
sudo snap install certbot-dns-route53
# Verify plugins
snap list | grep certbot
# Distribution method - comprehensive package list
sudo apt install \
certbot \
python3-certbot-nginx \
python3-certbot-apache \
python3-certbot-dns-cloudflare \
python3-certbot-dns-route53
Plugin Verification Script:
#!/bin/bash
# Verify required plugins are available
REQUIRED_PLUGINS=("nginx" "apache" "dns-cloudflare")
echo "Checking Certbot plugins:"
for plugin in "${REQUIRED_PLUGINS[@]}"; do
if certbot plugins | grep -q "$plugin"; then
echo " ✓ $plugin"
else
echo " ✗ $plugin (missing - install required)"
fi
done
3. Configuration Directory Management
Standard Directory Structure:
/etc/letsencrypt/
├── accounts/ # ACME account keys
├── archive/ # All certificate versions
├── csr/ # Certificate signing requests
├── keys/ # Private keys
├── live/ # Symlinks to latest certificates
│ └── example.com/
│ ├── cert.pem # Certificate only
│ ├── chain.pem # Intermediate certificate
│ ├── fullchain.pem # Certificate + intermediate
│ └── privkey.pem # Private key
├── renewal/ # Renewal configuration files
└── renewal-hooks/
├── deploy/ # Deployment hooks
├── post/ # Post-renewal hooks
└── pre/ # Pre-renewal hooks
Backup Strategy:
#!/bin/bash
# Backup Certbot configuration and certificates
BACKUP_DIR="/backup/letsencrypt-$(date +%Y%m%d)"
sudo mkdir -p "$BACKUP_DIR"
# Backup entire Certbot directory
sudo tar czf "$BACKUP_DIR/letsencrypt.tar.gz" /etc/letsencrypt
# Backup to remote storage
sudo rsync -av /etc/letsencrypt/ backup-server:/backup/letsencrypt/
# Verify backup
tar tzf "$BACKUP_DIR/letsencrypt.tar.gz" | head -n 20
4. Update Management
Snap Auto-Updates (Default):
# Check snap refresh timer
snap refresh --time
# Manually refresh Certbot
sudo snap refresh certbot
# View refresh history
snap changes certbot
Distribution Package Updates:
# Ubuntu/Debian - check for updates
sudo apt update
apt list --upgradable | grep certbot
# Update Certbot
sudo apt install --only-upgrade certbot python3-certbot-*
# CentOS/RHEL
sudo dnf check-update | grep certbot
sudo dnf update certbot python3-certbot-*
Version Pinning for Enterprise:
# Pin Certbot version for stability (Ubuntu/Debian)
sudo apt-mark hold certbot python3-certbot-nginx
# Verify pinned
apt-mark showhold
# Unpin when ready to upgrade
sudo apt-mark unhold certbot python3-certbot-nginx
5. Monitoring and Validation
Post-Installation Validation
#!/bin/bash
# Validate Certbot installation
echo "=== Certbot Installation Validation ==="
# Check version
if certbot --version > /dev/null 2>&1; then
version=$(certbot --version 2>&1 | grep -oP '\d+\.\d+\.\d+')
echo "✓ Certbot installed: version $version"
else
echo "✗ Certbot not installed or not in PATH"
exit 1
fi
# Check required plugins
REQUIRED_PLUGINS=("nginx" "standalone" "webroot")
for plugin in "${REQUIRED_PLUGINS[@]}"; do
if certbot plugins 2>&1 | grep -q "$plugin"; then
echo "✓ Plugin available: $plugin"
else
echo "✗ Plugin missing: $plugin"
fi
done
# Check directories exist and have correct permissions
for dir in /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt; do
if [ -d "$dir" ] && [ -w "$dir" ]; then
echo "✓ Directory accessible: $dir"
else
echo "✗ Directory issue: $dir"
fi
done
# Test dry-run certificate request
if sudo certbot register --agree-tos --email test@example.com --dry-run > /dev/null 2>&1; then
echo "✓ ACME communication working"
else
echo "✗ Cannot communicate with ACME server (check firewall/proxy)"
fi
echo "=== Validation Complete ==="
Monitor Installation Across Fleet:
#!/usr/bin/env python3
"""Check Certbot installation status across server fleet"""
import subprocess
import json
def check_certbot_on_server(hostname):
"""Check Certbot installation remotely"""
try:
result = subprocess.run(
['ssh', hostname, 'certbot', '--version'],
capture_output=True,
text=True,
timeout=10
)
if result.returncode == 0:
version = result.stdout.strip()
return {'status': 'installed', 'version': version}
else:
return {'status': 'error', 'message': result.stderr}
except Exception as e:
return {'status': 'unreachable', 'error': str(e)}
# Check fleet
servers = ['web1.example.com', 'web2.example.com', 'web3.example.com']
for server in servers:
result = check_certbot_on_server(server)
print(f"{server}: {result}")
6. Security Hardening Post-Installation
Restrict Certbot Directory Permissions:
# Secure Certbot directories
sudo chmod 700 /etc/letsencrypt
sudo chmod 700 /etc/letsencrypt/live
sudo chmod 700 /etc/letsencrypt/archive
# Private keys should be 600
sudo find /etc/letsencrypt -name 'privkey*.pem' -exec chmod 600 {} \;
# Verify permissions
sudo find /etc/letsencrypt -type f -name '*.pem' -ls
Limit Certbot Execution:
# Create dedicated user for automated renewals (optional)
sudo useradd -r -s /bin/false certbot-automation
# Configure sudoers for limited certbot access
sudo tee /etc/sudoers.d/certbot << 'EOF'
certbot-automation ALL=(root) NOPASSWD: /usr/bin/certbot renew
certbot-automation ALL=(root) NOPASSWD: /usr/sbin/nginx -t
certbot-automation ALL=(root) NOPASSWD: /bin/systemctl reload nginx
EOF
7. Enterprise Compliance and Audit
Document Installation for Compliance:
# Certbot Installation Documentation
## Installation Method
- Method: Snap packages (certbot 2.7.4)
- Installation Date: 2026-01-24
- Installed By: ops-team
- Approval: Change request CR-12345
## Installed Components
- Core: certbot 2.7.4
- Plugins: nginx, dns-cloudflare
- Configuration: /etc/letsencrypt
- Logs: /var/log/letsencrypt
## Update Policy
- Automatic updates: Enabled (snap refresh)
- Testing: All updates tested in staging before production
- Rollback procedure: snap revert certbot
## Access Control
- Certbot execution: Root only
- Configuration access: Root only
- Certificate files: 600 permissions (root owner)
## Audit Trail
- Installation logged in: /var/log/syslog
- Compliance framework: SOC 2, ISO 27001
- Review frequency: Quarterly
Track Certbot Versions Across Infrastructure:
#!/bin/bash
# Audit Certbot versions for compliance
SERVERS_FILE="/etc/infrastructure/webservers.txt"
AUDIT_FILE="/var/log/certbot-audit-$(date +%Y%m%d).log"
echo "=== Certbot Version Audit: $(date) ===" | tee "$AUDIT_FILE"
while read -r server; do
version=$(ssh "$server" "certbot --version 2>&1" | grep -oP '\d+\.\d+\.\d+' || echo "NOT_INSTALLED")
echo "$server: $version" | tee -a "$AUDIT_FILE"
done < "$SERVERS_FILE"
echo "=== Audit Complete ===" | tee -a "$AUDIT_FILE"
Operational Checklist
Pre-installation preparation:
- [ ] Determine installation method (snap recommended for most environments)
- [ ] Check OS version and distribution
- [ ] Verify internet connectivity or configure local repository mirror
- [ ] Configure HTTP proxy if required
- [ ] Document installation method in runbook
Installation:
- [ ] Remove any existing Certbot installations
- [ ] Install Certbot core package
- [ ] Install required web server plugins (nginx/apache)
- [ ] Install DNS provider plugins (if using DNS-01)
- [ ] Verify Certbot in PATH (
which certbot) - [ ] Check Certbot version (
certbot --version) - [ ] Verify plugins available (
certbot plugins)
Post-installation:
- [ ] Configure firewall to allow ports 80 and 443
- [ ] Verify directory permissions (700 for /etc/letsencrypt)
- [ ] Test ACME communication (
certbot register --dry-run) - [ ] Document installation in compliance records
- [ ] Configure automatic updates (snap) or update schedule (apt/dnf)
- [ ] Set up monitoring for Certbot version tracking
- [ ] Create backup procedures for
/etc/letsencrypt - [ ] Test certificate issuance in staging (
--staging) - [ ] Configure automated renewal (systemd timer or cron)
- [ ] Document troubleshooting procedures
Related Documentation
ACME Operations (Read After Installation):
- Operating ACME Clients Overview - Section navigation
- Certbot Installation (this page) - Installing Certbot
- A Record Configuration - Next: Configure DNS
- Certbot Renewal Automation - Next: Set up automation
- X.509 Certificate Verification - Understanding validation
- DNS-01 Challenge Validation - For wildcard certificates
Protocol & Standards:
- ACME Protocol - Understand ACME before installing clients
- TLS Protocol - How certificates are used
Broader Operations:
- Certificate Lifecycle Management - Complete lifecycle
- Renewal Automation - Platform-agnostic automation
Troubleshooting:
- Common Misconfigurations - Configuration issues and quick fixes
- Chain Validation Errors - Certificate verification failures
- Expired Certificate Outages - Incident response and prevention
- Performance Bottlenecks - Timeout and performance issues
This comprehensive installation guide ensures production-ready Certbot deployment across diverse Linux distributions, container environments, and enterprise infrastructure with proper security, monitoring, and compliance considerations.