Back to Learning Center
DevOps & Automation

The Complete Guide to Let's Encrypt & Certbot

12 min read
Updated June 2026

Let's Encrypt is a free, automated, and open Certificate Authority (CA) provided by the Internet Security Research Group (ISRG). It has revolutionized web security by making it possible for anyone to obtain and install a trusted SSL/TLS certificate at no cost. The key to its success is automation, primarily through the ACME protocol and client software like Certbot.

How Let's Encrypt Works: The ACME Protocol

Let's Encrypt uses the Automated Certificate Management Environment (ACME) protocol to verify that you control a given domain name and to issue a certificate. The process is entirely automated:

  1. An ACME client on your web server (like Certbot) tells the Let's Encrypt CA it wants to secure a domain (e.g., `yourdomain.com`).
  2. The CA gives the client a "challenge"—a unique token that it needs to make available on the website in a specific way.
  3. The client places the token where the CA can find it. This proves the client controls the domain. There are two common challenge types:
    • HTTP-01 Challenge: The client places a file with the token at a specific URL on the website (e.g., `http://yourdomain.com/.well-known/acme-challenge/<token>`).
    • DNS-01 Challenge: The client adds a specific TXT record containing the token to the domain's DNS records. This is required for issuing wildcard certificates.
  4. Once the CA verifies the token, it knows the client is legitimate. The client then generates a Certificate Signing Request (CSR), sends it to the CA, and the CA returns a signed SSL certificate.

This entire process takes seconds and can be fully automated.

Introducing Certbot: The #1 ACME Client

Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administered websites to enable HTTPS. It's the most popular ACME client and is maintained by the Electronic Frontier Foundation (EFF).

Certbot can:

  • Automatically prove to Let's Encrypt that you control the website.
  • Fetch a certificate for your domain(s).
  • Install the certificate on your web server (Apache or Nginx).
  • Automatically configure your web server to serve HTTPS.
  • Automatically renew the certificate before it expires.

Installing and Using Certbot

Installation varies by operating system. The recommended way to install Certbot is using Snap, which ensures you always have the latest version.

# Install Certbot using snap (on Ubuntu/Debian)

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

For Nginx Web Servers

If you use Nginx, Certbot can automatically find your server blocks, install the certificate, and configure HTTPS for you.

# Get and install a certificate for Nginx

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# This command will:

  • Ask for your email address (for renewal notices).
  • Ask you to agree to the Terms of Service.
  • Find the correct Nginx server block for `yourdomain.com`.
  • Complete the HTTP-01 challenge.
  • Install the certificate and configure the server block to use it.
  • Set up a cron job or systemd timer to automatically renew the certificate.

For Apache Web Servers

The process is nearly identical for Apache.

# Get and install a certificate for Apache

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Getting a Wildcard Certificate (DNS Challenge)

To get a wildcard certificate (`*.yourdomain.com`), you must use the DNS-01 challenge. This requires a Certbot plugin for your DNS provider (e.g., Cloudflare, Route 53, GoDaddy).

# Example for Cloudflare

# 1. Install the Cloudflare DNS plugin
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

# 2. Create Cloudflare API token credentials file
# (e.g., /etc/letsencrypt/cloudflare.ini)
# dns_cloudflare_api_token = YOUR_API_TOKEN

# 3. Run Certbot
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  -d yourdomain.com -d '*.yourdomain.com'

Note: `certonly` gets the certificate but does not install it. You must configure your web server manually.

Important Considerations

Short Expiry Period

Let's Encrypt certificates are only valid for 90 days. This is intentional to encourage automation. Certbot automatically handles renewal by default, typically checking twice a day and renewing certificates that are within 30 days of expiry. You can test your renewal setup with `sudo certbot renew --dry-run`.

Rate Limits

Let's Encrypt has rate limits to prevent abuse, such as a limit of 50 certificates per registered domain per week. For most use cases, this is not an issue. If you are testing, use the `--staging` flag with Certbot to use the staging environment, which has much higher rate limits.

Server Compatibility

While Certbot has excellent support for Apache and Nginx, it can be used with any web server. In "webroot" or "standalone" mode, Certbot will obtain the certificate, and you can then configure your server (e.g., Caddy, LiteSpeed) to use the certificate files located in `/etc/letsencrypt/live/yourdomain.com/`.

Never Let a Certificate Expire Again

Even with automation, things can go wrong—a failed cron job, a change in server configuration, or an expired DNS plugin credential. CertNotify acts as your safety net, monitoring all your certificates (including those from Let's Encrypt) and alerting you if renewal fails or an expiry is imminent.

Add External Monitoring →