a project of the Electronic Frontier Foundation

certbot instructions

What's your HTTP website running on?

My HTTP website is running on
No javascript? See all setup instructions here. Read the full documentation here.

Web Hosting Product on Windows

To use Certbot, you'll need...

A laptop
comfort with the
command line
Close button

A command line is a way of interacting with a computer by typing text-based commands to it and receiving text-based replies. Certbot is run from a command-line interface, usually on a Unix-like server. In order to use Certbot for most purposes, you’ll need to be able to install and run it on the command line of your web server, which is usually accessed over SSH.

A command line is a way of interacting with a computer by typing text-based commands to it and receiving text-based replies. Certbot is run from a command-line interface, usually on a Unix-like server. In order to use Certbot for most purposes, you’ll need to be able to install and run it on the command line of your web server, which is usually accessed over SSH.

From our Certbot Glossary
command line
Command Line

A command line is a way of interacting with a computer by typing text-based commands to it and receiving text-based replies. Certbot is run from a command-line interface, usually on a Unix-like server. In order to use Certbot for most purposes, you’ll need to be able to install and run it on the command line of your web server, which is usually accessed over SSH.

From our Certbot Glossary
Web browser showing an HTTP site
...and an
HTTP website
Close button

HTTP (Hypertext Transfer Protocol) is the traditional, but insecure, method for web browsers to request the content of web pages and other online resources from web servers. It is an Internet standard and normally used with TCP port 80. Almost all websites in the world support HTTP, but websites that have been configured with Certbot or some other method of setting up HTTPS may automatically redirect users from the HTTP version of the site to the HTTPS version.

HTTP (Hypertext Transfer Protocol) is the traditional, but insecure, method for web browsers to request the content of web pages and other online resources from web servers. It is an Internet standard and normally used with TCP port 80. Almost all websites in the world support HTTP, but websites that have been configured with Certbot or some other method of setting up HTTPS may automatically redirect users from the HTTP version of the site to the HTTPS version.

From our Certbot Glossary
HTTP website
HTTP

HTTP (Hypertext Transfer Protocol) is the traditional, but insecure, method for web browsers to request the content of web pages and other online resources from web servers. It is an Internet standard and normally used with TCP port 80. Almost all websites in the world support HTTP, but websites that have been configured with Certbot or some other method of setting up HTTPS may automatically redirect users from the HTTP version of the site to the HTTPS version.

From our Certbot Glossary

that is
already online
Close button

Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80. That means, for example, that if you use a web browser to go to your domain using http://, your web server answers and some kind of content comes up (even if it’s just a default welcome page rather than the final version of your site). Some methods of using Certbot have this as a prerequisite, so you’ll have a smoother experience if you already have a site set up with HTTP. (If your site can’t be accessed this way as a matter of policy, you’ll probably need to use DNS validation in order to get a certificate with Certbot.)

Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80. That means, for example, that if you use a web browser to go to your domain using http://, your web server answers and some kind of content comes up (even if it’s just a default welcome page rather than the final version of your site). Some methods of using...

From our Certbot Glossary
already online
Website That’s Already Online

Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80. That means, for example, that if you use a web browser to go to your domain using http://, your web server answers and some kind of content comes up (even if it’s just a default welcome page rather than the final version of your site). Some methods of using Certbot have this as a prerequisite, so you’ll have a smoother experience if you already have a site set up with HTTP. (If your site can’t be accessed this way as a matter of policy, you’ll probably need to use DNS validation in order to get a certificate with Certbot.)

From our Certbot Glossary

with an open
port 80
Close button

Different Internet services are distinguished by using different TCP port numbers. Unencrypted HTTP normally uses TCP port 80, while encrypted HTTPS normally uses TCP port 443. To use certbot –webroot, certbot –apache, or certbot –nginx, you should have an existing HTTP website that’s already online hosted on the server where you’re going to use Certbot. This site should be available to the rest of the Internet on port 80. To use certbot –standalone, you don’t need an existing site, but you have to make sure connections to port 80 on your server are not blocked by a firewall, including a firewall that may be run by your Internet service provider or web hosting provider. Please check with your ISP or hosting provider if you’re not sure. (Using DNS validation does not require Let’s Encrypt to make any inbound connection to your server, so with this method in particular it’s not necessary to have an existing HTTP website or the ability to receive connections on port 80.)

Different Internet services are distinguished by using different TCP port numbers. Unencrypted HTTP normally uses TCP port 80, while encrypted HTTPS normally uses TCP port 443. To use certbot –webroot, certbot –apache, or certbot –nginx, you should have an existing HTTP website that’s already online hosted on the server where you’re going to use Certbot. This site should be available to the rest of the Internet on port 80. To use certbot –standalone, you don’t need an existing site, but you have to make sure connections to port 80 on your server are not blocked by a firewall, including a...

From our Certbot Glossary
port 80
Port 80

Different Internet services are distinguished by using different TCP port numbers. Unencrypted HTTP normally uses TCP port 80, while encrypted HTTPS normally uses TCP port 443. To use certbot –webroot, certbot –apache, or certbot –nginx, you should have an existing HTTP website that’s already online hosted on the server where you’re going to use Certbot. This site should be available to the rest of the Internet on port 80. To use certbot –standalone, you don’t need an existing site, but you have to make sure connections to port 80 on your server are not blocked by a firewall, including a firewall that may be run by your Internet service provider or web hosting provider. Please check with your ISP or hosting provider if you’re not sure. (Using DNS validation does not require Let’s Encrypt to make any inbound connection to your server, so with this method in particular it’s not necessary to have an existing HTTP website or the ability to receive connections on port 80.)

From our Certbot Glossary
A sever
...which is hosted on a
server
Close button

A server is a computer on the Internet that provides a service, like a web site or an email service. Most web site owners pay a hosting provider for the use of a server located in a data center and administered over the Internet. This might be a physical dedicated server, a virtual private server (VPS), or a shared server. Other servers provide other parts of the Internet infrastructure, such as DNS servers.

A server is a computer on the Internet that provides a service, like a web site or an email service. Most web site owners pay a hosting provider for the use of a server located in a data center and administered over the Internet. This might be a physical dedicated server, a virtual private server (VPS), or a shared server. Other servers provide other parts of the Internet infrastructure, such as DNS servers.

From our Certbot Glossary
server
Server

A server is a computer on the Internet that provides a service, like a web site or an email service. Most web site owners pay a hosting provider for the use of a server located in a data center and administered over the Internet. This might be a physical dedicated server, a virtual private server (VPS), or a shared server. Other servers provide other parts of the Internet infrastructure, such as DNS servers.

From our Certbot Glossary

which you can access via
SSH
Close button
SSH

SSH (which stands for “secure shell”) is a technology for connecting to a remote server and accessing a command line on that server, often in order to administer it. The administrator of a server can grant SSH access to others, and can also use SSH access directly in order to administer the server remotely. SSH is usually used to access servers running Unix-like operating systems, but your own computer doesn’t have to be running Unix in order to use SSH. You normally use SSH from your computer’s command line in a terminal by typing a command such as ssh username@example.com, especially if your own computer runs Linux or macOS. After logging in, you’ll have access to the server’s command line. If you use Windows on your computer, you might also use a dedicated SSH application such as PuTTY. Most Certbot users run Certbot from a command prompt on a remote server over SSH.

SSH (which stands for “secure shell”) is a technology for connecting to a remote server and accessing a command line on that server, often in order to administer it. The administrator of a server can grant SSH access to others, and can also use SSH access directly in order to administer the server remotely. SSH is usually used to access servers running Unix-like operating systems, but your own computer doesn’t have to be running Unix in order to use SSH. You normally use SSH from your computer’s command line in a terminal by typing a command such as ssh username@example.com,...

From our Certbot Glossary
SSH
SSH

SSH (which stands for “secure shell”) is a technology for connecting to a remote server and accessing a command line on that server, often in order to administer it. The administrator of a server can grant SSH access to others, and can also use SSH access directly in order to administer the server remotely. SSH is usually used to access servers running Unix-like operating systems, but your own computer doesn’t have to be running Unix in order to use SSH. You normally use SSH from your computer’s command line in a terminal by typing a command such as ssh username@example.com, especially if your own computer runs Linux or macOS. After logging in, you’ll have access to the server’s command line. If you use Windows on your computer, you might also use a dedicated SSH application such as PuTTY. Most Certbot users run Certbot from a command prompt on a remote server over SSH.

From our Certbot Glossary

with the ability to
sudo
Close button

Sudo is the most common command on Unix-like operating systems to run a specific command as root (the system administrator). If you’re logged in to your server as a user other than root, you’ll likely need to put sudo before your Certbot commands so that they run as root (for example, sudo certbot instead of just certbot), especially if you’re using Certbot’s integration with a web server like Apache or Nginx. (The certbot-auto script automatically runs sudo if it’s necessary and you didn’t specify it.)

Sudo is the most common command on Unix-like operating systems to run a specific command as root (the system administrator). If you’re logged in to your server as a user other than root, you’ll likely need to put sudo before your Certbot commands so that they run as root (for example, sudo certbot instead of just certbot), especially if you’re using Certbot’s integration with a web server like Apache or Nginx. (The certbot-auto script automatically runs sudo if it’s necessary and you didn’t specify it.)

From our Certbot Glossary
sudo
sudo

Sudo is the most common command on Unix-like operating systems to run a specific command as root (the system administrator). If you’re logged in to your server as a user other than root, you’ll likely need to put sudo before your Certbot commands so that they run as root (for example, sudo certbot instead of just certbot), especially if you’re using Certbot’s integration with a web server like Apache or Nginx. (The certbot-auto script automatically runs sudo if it’s necessary and you didn’t specify it.)

From our Certbot Glossary

optional if you want a
wildcard cert
Close button

A wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. For example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com.

A wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. For example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com.

From our Certbot Glossary
wildcard cert
Wildcard Certificate

A wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. For example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com.

From our Certbot Glossary
:
DNS credentials
Close button

DNS credentials are a password or other kind of secret (such as an API key) that your DNS provider lets you use to change the contents of your DNS records. They are usually issued by your domain registrar (or by another DNS provider, if your DNS provider isn’t the same as your registrar). DNS credentials are a sensitive kind of secret because they can be used to take over your site completely. You should never share these credentials publicly or with an unauthorized person. It can be OK to provide a copy of them to Certbot to let it perform DNS validation automatically, since it runs locally on your machine.

DNS credentials are a password or other kind of secret (such as an API key) that your DNS provider lets you use to change the contents of your DNS records. They are usually issued by your domain registrar (or by another DNS provider, if your DNS provider isn’t the same as your registrar). DNS credentials are a sensitive kind of secret because they can be used to take over your site completely. You should never share these credentials publicly or with an unauthorized person. It can be OK to provide a copy of them to Certbot to let it perform...

From our Certbot Glossary
DNS credentials
DNS Credentials

DNS credentials are a password or other kind of secret (such as an API key) that your DNS provider lets you use to change the contents of your DNS records. They are usually issued by your domain registrar (or by another DNS provider, if your DNS provider isn’t the same as your registrar). DNS credentials are a sensitive kind of secret because they can be used to take over your site completely. You should never share these credentials publicly or with an unauthorized person. It can be OK to provide a copy of them to Certbot to let it perform DNS validation automatically, since it runs locally on your machine.

From our Certbot Glossary

Don't have these requirements?

Not to worry! Some hosting providers automate the HTTPS process. See the full list of hosting providers, or find out more about how to set up your system.

default
wildcard
*
Close button

A wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. For example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com.

A wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. For example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com.

From our Certbot Glossary
*
Wildcard Certificate

A wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. For example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com.

From our Certbot Glossary

    Windows installation procedure

    Certbot is now officially available for Windows. If you find that Certbot is not the most suitable Let's Encrypt client application for your use case, there are many other clients written by other organizations and developers that you may be able to use to obtain a certificate from Let's Encrypt.

    1. Important notes

      This procedure follows the current Certbot implementation for Windows, in particular the fact that it installs as a system component, and requires administrative privileges. These instructions will be updated when a future version of Certbot switches to a different installation method. No installers for HTTP servers are supported for now (Certbot for Windows can currently obtain your certificate from Let's Encrypt, but not install it into your web server application).

    2. Specific Windows system requirements and user knowledge requirements

      • The user needs to be familiar with the command-line interface (CLI), because Certbot is a pure CLI program.
      • The user must use an account with administrative privileges to install and run Certbot.
      • PowerShell and CMD.EXE are supported; both need to be started with elevated privileges before invoking Certbot.
      • Path C:\Certbot must be writable by the current user.

    3. Specific Windows limitations and configuration

      • All usual operations to create and manage an account, manage existing certificates, or select the ACME server, are supported.
      • Only standalone, manual and webroot authenticator plugins are supported. DNS plugins will be available soon. This means that Certbot for Windows is currently unable to automatically renew wildcard certificates, since these require a DNS plugin in order to be renewed without user intervention.
      • No installer plugins are supported. The Apache and Nginx plugins will be available soon, and a plugin to install certificates into IIS is under development.
      • Automated certificate renewals (using standalone and webroot plugins) are supported.

    4. Installation instructions (default)

      1. Connect to the server.
      2. Connect locally or remotely (using Remote Desktop) to the server using an account that has administrative privileges for this machine.
      3. Install Certbot.
      4. Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe.
      5. Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86), that can be customized.)
      6. To start a shell for Certbot, select the Start menu, enter cmd (to run CMD.EXE) or powershell (to run PowerShell), and click on “Run as administrator” in the contextual menu that shows up above.
      7. Run Certbot as a shell command.

      To run a command on Certbot, enter the name certbot in the shell, followed by the command and its parameters. For instance, to display the inline help, run:

      C:\WINDOWS\system32> certbot --help

    5. Choose how you’d like to run Certbot

      Are you ok with temporarily stopping your website?

      Yes, my web server is not currently running on this machine.

      Stop your webserver, then run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine.

      C:\WINDOWS\system32> certbot certonly --standalone

      No, I need to keep my web server running.

      If you have a webserver that's already using port 80 and don't want to stop it while Certbot runs, run this command and follow the instructions in the terminal.

      C:\WINDOWS\system32> certbot certonly --webroot

    6. Install your certificate

      You'll need to install your new certificate in the configuration file or interface for your webserver. Certificates are located in C:\Certbot\live\[certificate_name], where [certificate_name] is the name of your certificate (usually the first domain if the --cert-name flag has not been used on the certonly command). Currently, Certbot for Windows cannot automate the installation step; future versions will be able to automate it for specific webserver applications.

    7. Test automatic renewal

      The Certbot installation on your system comes with a pre-installed Scheduled Task that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running the command

      C:\WINDOWS\system32> certbot renew --dry-run

      If you needed to stop your webserver to run Certbot (for example, if you used the standalone authenticator on a machine where port 80 is normally in use), you'll want to edit the built-in command to add the --pre-hook and --post-hook flags to stop and start your webserver automatically. For example, if your webserver is Apache 2.4, add the following to the certbot renew command:

      --pre-hook "net stop Apache2.4" --post-hook "net start Apache2.4"

      More information is available in the Certbot documentation on renewing certificates.

    8. Confirm that Certbot worked

      To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.

      check your site's https:// at SSL Labs.

    9. Note for Windows Apache or Nginx users

      As described in section 5 above, Certbot for Windows currently cannot install the certificate in Apache or Nginx for you. As of the most recent release, you will have to edit your web server application’s configuration to install the certificate yourself after Certbot has obtained it. If this limitation is acceptable to you, please start from the beginning of this document to learn more about installing and using Certbot on Windows.

    Windows installation procedure

    Certbot is now officially available for Windows. If you find that Certbot is not the most suitable Let's Encrypt client application for your use case, there are many other clients written by other organizations and developers that you may be able to use to obtain a certificate from Let's Encrypt.

    1. Important notes

      This procedure follows the current Certbot implementation for Windows, in particular the fact that it installs as a system component, and requires administrative privileges. These instructions will be updated when a future version of Certbot switches to a different installation method. No installers for HTTP servers are supported for now (Certbot for Windows can currently obtain your certificate from Let's Encrypt, but not install it into your web server application).

    2. Specific Windows system requirements and user knowledge requirements

      • The user needs to be familiar with the command-line interface (CLI), because Certbot is a pure CLI program.
      • The user must use an account with administrative privileges to install and run Certbot.
      • PowerShell and CMD.EXE are supported; both need to be started with elevated privileges before invoking Certbot.
      • Path C:\Certbot must be writable by the current user.

    3. Specific Windows limitations and configuration

      • All usual operations to create and manage an account, manage existing certificates, or select the ACME server, are supported.
      • Only standalone, manual and webroot authenticator plugins are supported. DNS plugins will be available soon. This means that Certbot for Windows is currently unable to automatically renew wildcard certificates, since these require a DNS plugin in order to be renewed without user intervention.
      • No installer plugins are supported. The Apache and Nginx plugins will be available soon, and a plugin to install certificates into IIS is under development.
      • Automated certificate renewals (using standalone and webroot plugins) are supported.

    4. Installation instructions (default)

      1. Connect to the server.
      2. Connect locally or remotely (using Remote Desktop) to the server using an account that has administrative privileges for this machine.
      3. Install Certbot.
      4. Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe.
      5. Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86), that can be customized.)
      6. To start a shell for Certbot, select the Start menu, enter cmd (to run CMD.EXE) or powershell (to run PowerShell), and click on “Run as administrator” in the contextual menu that shows up above.
      7. Run Certbot as a shell command.

      To run a command on Certbot, enter the name certbot in the shell, followed by the command and its parameters. For instance, to display the inline help, run:

      C:\WINDOWS\system32> certbot --help

    5. Choose how you’d like to run Certbot

      Are you ok with temporarily stopping your website?

      Yes, my web server is not currently running on this machine.

      Stop your webserver, then run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine.

      C:\WINDOWS\system32> certbot certonly --standalone

      No, I need to keep my web server running.

      If you have a webserver that's already using port 80 and don't want to stop it while Certbot runs, run this command and follow the instructions in the terminal.

      C:\WINDOWS\system32> certbot certonly --webroot

    6. Install your certificate

      You'll need to install your new certificate in the configuration file or interface for your webserver. Certificates are located in C:\Certbot\live\[certificate_name], where [certificate_name] is the name of your certificate (usually the first domain if the --cert-name flag has not been used on the certonly command). Currently, Certbot for Windows cannot automate the installation step; future versions will be able to automate it for specific webserver applications.

    7. Test automatic renewal

      The Certbot installation on your system comes with a pre-installed Scheduled Task that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running the command

      C:\WINDOWS\system32> certbot renew --dry-run

      If you needed to stop your webserver to run Certbot (for example, if you used the standalone authenticator on a machine where port 80 is normally in use), you'll want to edit the built-in command to add the --pre-hook and --post-hook flags to stop and start your webserver automatically. For example, if your webserver is Apache 2.4, add the following to the certbot renew command:

      --pre-hook "net stop Apache2.4" --post-hook "net start Apache2.4"

      More information is available in the Certbot documentation on renewing certificates.

    8. Confirm that Certbot worked

      To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.

      check your site's https:// at SSL Labs.

    9. Note for Windows Apache or Nginx users

      As described in section 5 above, Certbot for Windows currently cannot install the certificate in Apache or Nginx for you. As of the most recent release, you will have to edit your web server application’s configuration to install the certificate yourself after Certbot has obtained it. If this limitation is acceptable to you, please start from the beginning of this document to learn more about installing and using Certbot on Windows.