Table of Contents
- Getting Started
- Code components and layout
- Coding style
- Mypy type annotations
- Submitting a pull request
- Asking for help
- Building the Certbot and DNS plugin snaps
- Updating certbot-auto and letsencrypt-auto
- Updating the documentation
- Running the client with Docker
Certbot has the same system requirements when set up for development. While the section below will help you install Certbot and its dependencies, Certbot needs to be run on a UNIX-like OS so if you’re using Windows, you’ll need to set up a (virtual) machine running an OS such as Linux and continue with these instructions on that UNIX-like OS.
Running the client in developer mode from your local tree is a little different than running Certbot as a user. To get set up, clone our git repository by running:
git clone https://github.com/certbot/certbot
If you’re on macOS, we recommend you skip the rest of this section and instead run Certbot in Docker. You can find instructions for how to do this here. If you’re running on Linux, you can run the following commands to install dependencies and set up a virtual environment where you can run Certbot.
Install the OS system dependencies required to run Certbot.
# For APT-based distributions (e.g. Debian, Ubuntu ...) sudo apt update sudo apt install python3-dev python3-venv gcc libaugeas0 libssl-dev \ libffi-dev ca-certificates openssl # For RPM-based distributions (e.g. Fedora, CentOS ...) # NB1: old distributions will use yum instead of dnf # NB2: RHEL-based distributions use python3X-devel instead of python3-devel (e.g. python36-devel) sudo dnf install python3-devel gcc augeas-libs openssl-devel libffi-devel \ redhat-rpm-config ca-certificates openssl
Set up the Python virtual environment that will host your Certbot local instance.
cd certbot python tools/venv3.py
You may need to repeat this when Certbot’s dependencies change or when a new plugin is introduced.
You can now run the copy of Certbot from git either by executing
venv3/bin/certbot, or by activating the virtual environment. You can do the
latter by running:
After running this command,
certbot and development tools like
tox are available in the shell where you ran
the command. These tools are installed in the virtual environment and are kept
separate from your global Python installation. This works by setting
environment variables so the right executables are found and Python can pull in
the versions of various packages needed by Certbot. More information can be
found in the virtualenv docs.
You can find the open issues in the github issue tracker. Comparatively easy ones are marked good first issue. If you’re starting work on something, post a comment to let others know and seek feedback on your plan where appropriate.
Once you’ve got a working branch, you can open a pull request. All changes in your pull request must have thorough unit test coverage, pass our tests, and be compliant with the coding style.
You can test your code in several ways:
- running the automated unit tests,
- running the automated integration tests
- running an ad hoc manual integration test
When you are working in a file
foo.py, there should also be a file
either in the same directory as
foo.py or in the
(if there isn’t, make one). While you are working on your code and tests, run
python foo_test.py to run the relevant tests.
For debugging, we recommend putting
import ipdb; ipdb.set_trace() statements inside the source code.
Once you are done with your code changes, and the tests in
pass, run all of the unit tests for Certbot and check for coverage with
-e py3-cover. You should then check for code style with
tox -e lint (all
pylint --rcfile=.pylintrc path/to/file.py (single file at a
Once all of the above is successful, you may run the full test suite using
tox --skip-missing-interpreters. We recommend running the commands above
first, because running all tests like this is very slow, and the large amount
of output can make it hard to find specific failures when they happen.
The full test suite may attempt to modify your system’s Apache config if your user has sudo permissions, so it should not be run on a production Apache server.
Generally it is sufficient to open a pull request and let Github and Azure Pipelines run integration tests for you. However, you may want to run them locally before submitting your pull request. You need Docker and docker-compose installed and working.
The tox environment
integration will setup Pebble, the Let’s Encrypt ACME CA server
for integration testing, then launch the Certbot integration tests.
With a user allowed to access your local Docker daemon, run:
tox -e integration
Tests will be run using pytest. A test report and a code coverage report will be displayed at the end of the integration tests execution.
You can also manually execute Certbot against a local instance of the Pebble ACME server. This is useful to verify that the modifications done to the code makes Certbot behave as expected.
To do so you need:
- Docker installed, and a user with access to the Docker client,
- an available local copy of Certbot.
The virtual environment set up with
python tools/venv3.py contains two CLI tools
that can be used once the virtual environment is activated:
- Starts a local instance of Pebble and runs in the foreground printing its logs.
- Press CTRL+C to stop this instance.
- This instance is configured to validate challenges against certbot executed locally.
Some options are available to tweak the local ACME server. You can execute
run_acme_server --help to see the inline help of the
- Execute certbot with the provided arguments and other arguments useful for testing purposes, such as: verbose output, full tracebacks in case Certbot crashes, etc.
- Execution is preconfigured to interact with the Pebble CA started with
- Any arguments can be passed as they would be to Certbot (eg.
certbot_test certonly -d test.example.com).
Here is a typical workflow to verify that Certbot successfully issued a certificate using an HTTP-01 challenge on a machine with Python 3:
python tools/venv3.py source venv3/bin/activate run_acme_server & certbot_test certonly --standalone -d test.example.com # To stop Pebble, launch `fg` to get back the background job, then press CTRL+C
The following components of the Certbot repository are distributed to users:
- contains all protocol specific code
- main client code
- certbot-apache and certbot-nginx
- client code to configure specific web servers
- client code to configure DNS providers
- certbot-auto and letsencrypt-auto
- shell scripts to install Certbot and its dependencies on UNIX systems
- windows installer
- Installs Certbot on Windows and is built using the files in windows-installer/
Certbot has a plugin architecture to facilitate support for different webservers, other TLS servers, and operating systems. The interfaces available for plugins to implement are defined in interfaces.py and plugins/common.py.
The main two plugin interfaces are
implements various ways of proving domain control to a certificate authority,
IInstaller, which configures a server to use a
certificate once it is issued. Some plugins, like the built-in Apache and Nginx
plugins, implement both interfaces and perform both tasks. Others, like the
built-in Standalone authenticator, implement just one interface.
There are also
which can change how prompts are displayed to a user.
Authenticators are plugins that prove control of a domain name by solving a
challenge provided by the ACME server. ACME currently defines several types of
challenges: HTTP, TLS-ALPN, and DNS, represented by classes in
An authenticator plugin should implement support for at least one challenge type.
An Authenticator indicates which challenges it supports by implementing
get_chall_pref(domain) to return a sorted list of challenge types in
An Authenticator must also implement
perform(achalls), which “performs” a list
of challenges by, for instance, provisioning a file on an HTTP server, or
setting a TXT record in DNS. Once all challenges have succeeded or failed,
Certbot will call the plugin’s
cleanup(achalls) method to remove any files or
DNS records that were needed only during authentication.
Installers plugins exist to actually setup the certificate in a server,
possibly tweak the security configuration to make it more correct and secure
(Fix some mixed content problems, turn on HSTS, redirect to HTTPS, etc).
Installer plugins tell the main client about their abilities to do the latter
supported_enhancements() call. We currently
have two Installers in the tree, the
ApacheConfigurator. and the
NginxConfigurator. External projects have made some progress toward
support for IIS, Icecast and Plesk.
Installers and Authenticators will oftentimes be the same class/object (because for instance both tasks can be performed by a webserver like nginx) though this is not always the case (the standalone plugin is an authenticator that listens on port 80, but it cannot install certs; a postfix plugin would be an installer but not an authenticator).
Installers and Authenticators are kept separate because
it should be possible to use the
StandaloneAuthenticator (it sets
up its own Python server to perform challenges) with a program that
cannot solve challenges itself (Such as MTA installers).
There are a few existing classes that may be beneficial while
developing a new
Installers aimed to reconfigure UNIX servers may use Augeas for
configuration parsing and can inherit from
to handle much of the interface. Installers that are unable to use
Augeas may still find the
Reverter class helpful in handling
configuration checkpoints and rollback.
In the meantime, you’re welcome to release it as a third-party plugin. See certbot-dns-ispconfig for one example of that.
Certbot client supports dynamic discovery of plugins through the
setuptools entry points using the
certbot.plugins group. This
way you can, for example, create a custom implementation of
IAuthenticator or the
IInstaller without having to merge it
with the core upstream source code. An example is provided in
While developing, you can install your plugin into a Certbot development virtualenv like this:
. venv/bin/activate pip install -e examples/plugins/ certbot_test plugins
Your plugin should show up in the output of the last command. If not, it was not installed properly.
Once you’ve finished your plugin and published it, you can have your
users install it system-wide with
pip install. Note that this will
only work for users who have Certbot installed from OS packages or via
If you’d like your plugin to be used alongside the Certbot snap, you will also have to publish your plugin as a snap. Plugin snaps are regular confined snaps, but normally do not provide any “apps” themselves. Plugin snaps export loadable Python modules to the Certbot snap.
When the Certbot snap runs, it will use its version of Python and prefer Python modules contained in its own snap over modules contained in external snaps. This means that your snap doesn’t have to contain things like an extra copy of Python, Certbot, or their dependencies, but also that if you need a different version of a dependency than is already installed in the Certbot snap, the Certbot snap will have to be updated.
Certbot plugin snaps expose their Python modules to the Certbot snap via a
snap content interface where
certbot-1 is the value for the
attribute. The Certbot snap only uses this to find the names of connected
plugin snaps and it expects to find the Python modules to be loaded under
lib/python3.8/site-packages/ in the plugin snap. This location is the
default when using the
core20 base snap and the python snapcraft
The Certbot snap also provides a separate content interface which
you can use to get metadata about the Certbot snap using the
The script used to generate the snapcraft.yaml files for our own externally snapped plugins can be found at https://github.com/certbot/certbot/blob/master/tools/snap/generate_dnsplugins_snapcraft.sh.
For more information on building externally snapped plugins, see the section on Building the Certbot and DNS plugin snaps.
Once you have created your own snap, if you have the snap file locally, it can be installed for use with Certbot by running:
snap install --classic certbot snap set certbot trust-plugin-with-root=ok snap install --dangerous your-snap-filename.snap sudo snap connect certbot:plugin your-snap-name sudo /snap/bin/certbot plugins
If everything worked, the last command should list your plugin in the
list of plugins found by Certbot. Once your snap is published to the
snap store, it will be installable through the name of the snap on the
snap store without the
--dangerous flag. If you are also using
Certbot’s metadata interface, you can run
sudo snap connect
your-snap-name:your-plug-name-for-metadata certbot:certbot-metadata to
connect your snap to it.
Be consistent with the rest of the code.
def foo(arg): """Short description. :param int arg: Some number. :returns: Argument :rtype: int """ return arg
Remember to use
You may consider installing a plugin for editorconfig in your editor to prevent some linting warnings.
unittest.assertFalsewhen possible, and use
assertEqualor more specific assert. They give better messages when it’s failing, and are generally more correct.
Python’s standard library
os module lacks full support for several Windows
security features about file permissions (eg. DACLs). However several files
handled by Certbot (eg. private keys) need strongly restricted access
on both Linux and Windows.
To help with this, the
certbot.compat.os module wraps the standard
os module, and forbids usage of methods that lack support for these Windows
As a developer, when working on Certbot or its plugins, you must use
in every place you would need
from certbot.compat import os instead of
import os). Otherwise the tests will fail when your PR is submitted.
Certbot uses the mypy static type checker. Python 3 natively supports official type annotations, which can then be tested for consistency using mypy. Python 2 doesn’t, but type annotations can be added in comments. Mypy does some type checks even without type annotations; we can find bugs in Certbot even without a fully annotated codebase.
Certbot supports both Python 2 and 3, so we’re using Python 2-style annotations.
Zulip wrote a great guide to using mypy. It’s useful, but you don’t have to read the whole thing to start contributing to Certbot.
To run mypy on Certbot, use
tox -e mypy on a machine that has Python 3 installed.
Note that instead of just importing
typing, due to packaging issues, in Certbot we import from
acme.magic_typing and have to add some comments for pylint like this:
from acme.magic_typing import Dict
Also note that OpenSSL, which we rely on, has type definitions for crypto but not SSL. We use both. Those imports should look like this:
from OpenSSL import crypto from OpenSSL import SSL # type: ignore # https://github.com/python/typeshed/issues/2052
- Write your code! When doing this, you should add mypy type annotations for any functions you add or modify. You can check that
you’ve done this correctly by running
tox -e mypyon a machine that has Python 3 installed.
- Make sure your environment is set up properly and that you’re in your virtualenv. You can do this by following the instructions in the Getting Started section.
tox -e lintto check for pylint errors. Fix any errors.
tox --skip-missing-interpretersto run the entire test suite including coverage. The
--skip-missing-interpretersargument ignores missing versions of Python needed for running the tests. Fix any errors.
- Submit the PR. Once your PR is open, please do not force push to the branch containing your pull request to squash or amend commits. We use squash merges on PRs and rewriting commits makes changes harder to track between reviews.
- Did your tests pass on Azure Pipelines? If they didn’t, fix any errors.
If you have any questions while working on a Certbot issue, don’t hesitate to ask for help! You can do this in the Certbot channel in EFF’s Mattermost instance for its open source projects as described below.
Use of EFFOSCCP is subject to the EFF Code of Conduct. When investigating an alleged Code of Conduct violation, EFF may review discussion channels or direct messages.
Instructions for how to manually build and run the Certbot snap and the externally snapped DNS plugins that the Certbot project supplies are located in the README file at https://github.com/certbot/certbot/tree/master/tools/snap.
We are currently only accepting changes to certbot-auto that fix regressions on platforms where certbot-auto is the recommended installation method at https://certbot.eff.org/instructions. If you are unsure if a change you want to make qualifies, don’t hesitate to ask for help!
Developers should not modify the
in the root directory of the repository. Rather, modify the
letsencrypt-auto.template and associated platform-specific shell scripts in
letsencrypt-auto-source/pieces/bootstrappers directory, respectively.
Once changes to any of the aforementioned files have been made, the
letsencrypt-auto-source/letsencrypt-auto script should be updated. In lieu of
manually updating this script, run the build script, which lives at
build.py will update the
script. Note that the
letsencrypt-auto scripts in the root
directory of the repository will remain unchanged after this script is run.
Your changes will be propagated to these files during the next release of
When opening a PR, ensure that the following files are committed:
It might also be a good idea to double check that no changes were
inadvertently made to the
letsencrypt-auto scripts in the
root of the repository. These scripts will be updated by the core developers
during the next release.
Many of the packages in the Certbot repository have documentation in a
docs/ directory. This directory is located under the top level directory
for the package. For instance, Certbot’s documentation is under
To build the documentation of a package, make sure you have followed the
instructions to set up a local copy of Certbot including activating the
virtual environment. After that,
cd to the docs directory you want to build
and run the command:
make clean html
This would generate the HTML documentation in
_build/html in your current
You can use Docker Compose to quickly set up an environment for running and testing Certbot. To install Docker Compose, follow the instructions at https://docs.docker.com/compose/install/.
Linux users can simply run
pip install docker-compose to get
Docker Compose after installing Docker Engine and activating your shell as
described in the Getting Started section.
Now you can develop on your host machine, but run Certbot and test your changes
in Docker. When using
docker-compose make sure you are inside your clone of
the Certbot repository. As an example, you can run the following command to
check for linting errors:
docker-compose run --rm --service-ports development bash -c 'tox -e lint'
You can also leave a terminal open running a shell in the Docker container and modify Certbot code in another window. The Certbot repo on your host machine is mounted inside of the container so any changes you make immediately take effect. To do this, run:
docker-compose run --rm --service-ports development bash
Now running the check for linting errors described above is as easy as:
tox -e lint