Collections
Let's Encrypt Certificates
Installing Certbot (Linux)

Installing Certbot (Linux)

This article will walk you through installing certbot onto a Debian-based OS. For Domain Control Validation (DCV) we’ll be using CloudFlare, however many other providers exist.

Install snapd

To get the latest version of certbot its recommended that the client be installed from Caronical’s Snap Store. Snap is a package management system that distributes software in a universal, self-contained format.

apt-get install snapd

Run the following command to ensure you have the latest version of snapd installed.

snap install core
snap refresh core

Install certbot

With snapd installed, lets go ahead and install certbot.

snap install --classic certbot

Create a soft-link to ensure certbot can be found under the $PATH environment variable.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Configure Plugin

Tell certbot that it can trust plugins with root access.

snap set certbot trust-plugin-with-root=ok

Install the certbot Cloudflare plugin. This plugin provides certbot with the ability to communicate with Cloudflare’s API in order to generate the required DNS entries when Domain Control Validation is requested.

sudo snap install certbot-dns-cloudflare

Provide certbot with the CloudFlare API token which will allow it access to your Cloudflare account via Cloudflare’s API service.

echo "dns_cloudflare_api_token = [token]" > /etc/letsencrpyt/.cloudflare_token

Restrict who can ready the API token.

chmod 600 /etc/letsencrpyt/.cloudflare_token

Configure LogRotate

Configure logrotate to rotate files within the /var/log/letsencrypt directory.

cat > /etc/logrotate.d/letsencrypt <<EOF
/var/log/letsencrypt/*.log {
    rotate 12
    weekly
    compress
    missingok
}
EOF

Generate Certificate

Certbot is successfully installed and ready for our first certificate. To request a certificate, run the following command. Ensure you replace the -d option with your certificate’s domain and -m with your contact email address.

certbot certonly \
--dns-cloudflare \
--dns-cloudflare-propagation-second 60 \
--dns-cloudflare-credentials /etc/letsencrpyt/.cloudflare_token \
-d twobyte.blog \
-m [email protected] \
--non-interactive \
--agree-tos

View Certificate

The certificate can be found within /etc/letsencrypt/live/domain_name.

user@host:/$ ls /etc/letsencrypt/live/twobyte.blog/
README  cert.pem  chain.pem  fullchain.pem  privkey.pem
  • privkey.pem is your private certificate.
  • cert.pem is your public certificate.
  • chain.pem is any required intermediary certificate(s) associated with Let’s Encrypt.
  • fullchain.pem is the intermediary certificate(s) and public certificates bundled together in one file.

To view the details of the certificate, use openssl.

openssl x509 -noout -text -in 'cert.pem'

Example of what you can expect:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:18:30:36:d0:e9:9a:e6:c9:ac:8b:f3:81:ab:2d:b2:e9:c0
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E6
        Validity
            Not Before: Mar  12 21:20:41 2025 GMT
            Not After : Jun  10 21:20:40 2025 GMT
        Subject: CN = twobyte.blog
        ...
Installing Posh-ACME (Windows)