About Certbot
What’s Certbot?
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
Certbot is made by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit based in San Francisco, CA, that defends digital privacy, free speech, and innovation.
Is Certbot right for me?
If you’re looking to add the security and privacy benefits of an HTTPS certificate to your website, you may not need Certbot. Many hosting providers have internal tools to enable HTTPS. Before using Certbot, check if your hosting provider is one of them.
Certbot might be right for you if you:
- have comfort with the command line
A command line is a way of interacting with a computer by typing text-based commands to it and receiving text-based replies. Certbot is run from a command-line interface, usually on a Unix-like server. In order to use Certbot for most purposes, you’ll need to be able to install and run it on the command line of your web server, which is usually accessed over SSH.
A command line is a way of interacting with a computer by typing text-based commands to it and recei...
command line,Command LineA command line is a way of interacting with a computer by typing text-based commands to it and receiving text-based replies. Certbot is run from a command-line interface, usually on a Unix-like server. In order to use Certbot for most purposes, you’ll need to be able to install and run it on the command line of your web server, which is usually accessed over SSH.
- have an HTTP website that’s already online
Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80. That means, for example, that if you use a web browser to go to your domain using http://, your web server answers and some kind of content comes up (even if it’s just a default welcome page rather than the final version of your site). Some methods of using Certbot have this as a prerequisite, so you’ll have a smoother experience if you already have a site set up with HTTP. (If your site can’t be accessed this way as a matter of policy, you’ll probably need to use DNS validation in order to get a certificate with Certbot.)
Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward...
an HTTP website that’s already online, withWebsite That’s Already OnlineCertbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80. That means, for example, that if you use a web browser to go to your domain using http://, your web server answers and some kind of content comes up (even if it’s just a default welcome page rather than the final version of your site). Some methods of using Certbot have this as a prerequisite, so you’ll have a smoother experience if you already have a site set up with HTTP. (If your site can’t be accessed this way as a matter of policy, you’ll probably need to use DNS validation in order to get a certificate with Certbot.)
port 80 openDifferent Internet services are distinguished by using different TCP port numbers. Unencrypted HTTP normally uses TCP port 80, while encrypted HTTPS normally uses TCP port 443. To use certbot --webroot, certbot --apache, or certbot --nginx, you should have an existing HTTP website that’s already online hosted on the server where you’re going to use Certbot. This site should be available to the rest of the Internet on port 80. To use certbot --standalone, you don’t need an existing site, but you have to make sure connections to port 80 on your server are not blocked by a firewall, including a firewall that may be run by your Internet service provider or web hosting provider. Please check with your ISP or hosting provider if you’re not sure. (Using DNS validation does not require Let’s Encrypt to make any inbound connection to your server, so with this method in particular it’s not necessary to have an existing HTTP website or the ability to receive connections on port 80.)
Different Internet services are distinguished by using different TCP port numbers. Unencrypted HTTP ...
port 80 open,Port 80Different Internet services are distinguished by using different TCP port numbers. Unencrypted HTTP normally uses TCP port 80, while encrypted HTTPS normally uses TCP port 443. To use certbot --webroot, certbot --apache, or certbot --nginx, you should have an existing HTTP website that’s already online hosted on the server where you’re going to use Certbot. This site should be available to the rest of the Internet on port 80. To use certbot --standalone, you don’t need an existing site, but you have to make sure connections to port 80 on your server are not blocked by a firewall, including a firewall that may be run by your Internet service provider or web hosting provider. Please check with your ISP or hosting provider if you’re not sure. (Using DNS validation does not require Let’s Encrypt to make any inbound connection to your server, so with this method in particular it’s not necessary to have an existing HTTP website or the ability to receive connections on port 80.)
- and administer your website via a dedicated server
A dedicated server is a server that only hosts the contents or services for a single website administrator.
A dedicated server is a server that only hosts the contents or services for a single website adminis...
dedicated server,Server - Dedicated ServerA dedicated server is a server that only hosts the contents or services for a single website administrator.
virtual private serverA virtual private server is a complete server environment within which the customer can control the entire operating system and software environment. That allows the customer to be the system administrator for this server environment. This is the second-most common kind of web hosting environment (following shared hosting), and is offered by major providers like Amazon AWS, Azure, DigitalOcean, and Linode, among others. Most successful Certbot users are running Certbot in a VPS environment.
A virtual private server is a complete server environment within which the customer can control the ...
virtual private server, orServer - Virtual Private Server (VPS)A virtual private server is a complete server environment within which the customer can control the entire operating system and software environment. That allows the customer to be the system administrator for this server environment. This is the second-most common kind of web hosting environment (following shared hosting), and is offered by major providers like Amazon AWS, Azure, DigitalOcean, and Linode, among others. Most successful Certbot users are running Certbot in a VPS environment.
cloud-hosted serverCloud hosting can refer to any situation in which your web site is hosted using someone else's infrastructure, typically on servers belonging to a web hosting company. This could be contrasted with a web site that's hosted on your own personal server, such as a physical machine running in your home.
Cloud hosting can refer to any situation in which your web site is hosted using someone else's infra...
cloud-hosted server, which you can access viaCloud HostingCloud hosting can refer to any situation in which your web site is hosted using someone else's infrastructure, typically on servers belonging to a web hosting company. This could be contrasted with a web site that's hosted on your own personal server, such as a physical machine running in your home.
sshSSH (which stands for “secure shell”) is a technology for connecting to a remote server and accessing a command line on that server, often in order to administer it. The administrator of a server can grant SSH access to others, and can also use SSH access directly in order to administer the server remotely. SSH is usually used to access servers running Unix-like operating systems, but your own computer doesn’t have to be running Unix in order to use SSH. You normally use SSH from your computer’s command line in a terminal by typing a command such as ssh username@example.com, especially if your own computer runs Linux or macOS. After logging in, you’ll have access to the server’s command line. If you use Windows on your computer, you might also use a dedicated SSH application such as PuTTY. Most Certbot users run Certbot from a command prompt on a remote server over SSH.
SSH (which stands for “secure shell”) is a technology for connecting to a remote server and accessin...
ssh, and have the ability toSSHSSH (which stands for “secure shell”) is a technology for connecting to a remote server and accessing a command line on that server, often in order to administer it. The administrator of a server can grant SSH access to others, and can also use SSH access directly in order to administer the server remotely. SSH is usually used to access servers running Unix-like operating systems, but your own computer doesn’t have to be running Unix in order to use SSH. You normally use SSH from your computer’s command line in a terminal by typing a command such as ssh username@example.com, especially if your own computer runs Linux or macOS. After logging in, you’ll have access to the server’s command line. If you use Windows on your computer, you might also use a dedicated SSH application such as PuTTY. Most Certbot users run Certbot from a command prompt on a remote server over SSH.
sudoSudo is the most common command on Unix-like operating systems to run a specific command as root (the system administrator). If you’re logged in to your server as a user other than root, you’ll likely need to put sudo before your Certbot commands so that they run as root (for example, sudo certbot instead of just certbot), especially if you’re using Certbot’s integration with a web server like Apache or Nginx. (The certbot-auto script automatically runs sudo if it’s necessary and you didn’t specify it.)
Sudo is the most common command on Unix-like operating systems to run a specific command as root (th...
sudo.sudoSudo is the most common command on Unix-like operating systems to run a specific command as root (the system administrator). If you’re logged in to your server as a user other than root, you’ll likely need to put sudo before your Certbot commands so that they run as root (for example, sudo certbot instead of just certbot), especially if you’re using Certbot’s integration with a web server like Apache or Nginx. (The certbot-auto script automatically runs sudo if it’s necessary and you didn’t specify it.)
If you’re ready to use Certbot, we provide customized instructions for your setup at the Certbot Instructions page.
Certbot renews certificates every 60 days. For more information about how Certbot works and for community managed resources, check out our Get Help page.
For more information around the codebase for Certbot and how to get involved as a developer, check out our Contribute to Certbot page.
Certbot is part of EFF’s larger effort to encrypt the entire Internet. Websites need to use HTTPS to secure the web. Along with HTTPS Everywhere, Certbot aims to build a network that is more structurally private, safe, and protected against censorship.
Certbot is the work of many authors, including a team of EFF staff and numerous open source contributors.
For more information about privacy practices, check out Certbot’s privacy policy.
Want to keep this project (and other EFF projects) alive? Donate here.