certbot
1
总安装量
1
周安装量
#47505
全站排名
安装命令
npx skills add https://github.com/g1joshi/agent-skills --skill certbot
Agent 安装分布
mcpjam
1
claude-code
1
replit
1
junie
1
zencoder
1
Skill 文档
Certbot
Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
When to Use
- VPS Hosting: Running Nginx/Apache on a VM (EC2, DigitalOcean) and need SSL.
- Homelab: Securing local services exposed via DDNS.
- Wildcards: Issuing
*.example.comcertificates (requires DNS plugin).
Quick Start (Nginx on Ubuntu)
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Auto-configure Nginx
sudo certbot --nginx
Core Concepts
ACME Protocol
Automatic Certificate Management Environment. The protocol Certbot uses to talk to the Let’s Encrypt CA.
Challenges
To prove you own the domain:
- HTTP-01: Certbot puts a file in
.well-known/acme-challenge. (Requires port 80 open). - DNS-01: Certbot creates a TXT record. (Required for Wildcards).
Renewal
Let’s Encrypt certs last 90 days. Certbot installs a timer (systemd) to check twice daily and renew any cert expiring in <30 days.
Best Practices (2025)
Do:
- Use DNS plugins: If using Cloudflare/Route53, use
certbot-dns-cloudflare. It’s robust and supports wildcards. - Test with Staging: Use
--dry-runor--test-certto differentiate testing from production (Rate limits apply). - Reload Web Server: Ensure the renewal hook (
--deploy-hook) reloads Nginx/Apache so it picks up the new cert.
Don’t:
- Don’t Run as Root (custom): The default runs as root, but for custom hooks, drop privileges if possible.
- Don’t Hardcode IP: ACME verification usually requires a Domain Name.
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
Timeout |
Port 80 blocked. | Open Firewall/Security Group for Port 80 (HTTP-01 challenge). |
Rate Limit |
Too many failures. | Wait 1 hour or use --test-cert. |