Skip to main content

Managing SSL Certificates with Certbot and Let’s Encrypt:

84 views 5 min read read

Learn how to manage SSL certificates using Certbot and Let’s Encrypt on your server. This step-by-step guide covers installation, certificate issuance, expiration checks, and auto-renewal setup, with real-world examples from a DigitalOcean droplet.

Managing SSL Certificates with Certbot and Let’s Encrypt: A Step-by-Step Guide

Securing your website with HTTPS is non-negotiable today, and Let’s Encrypt makes it free and easy with their SSL certificates. Pair that with Certbot, an automation tool, and you’ve got a powerful combo to manage certificates on your server. In this post, I’ll walk you through the entire process—from installing Certbot to checking and renewing certificates—based on my own experience on a DigitalOcean droplet. Whether you’re a beginner or just need a refresher, this guide has you covered.

What Are Certbot and Let’s Encrypt?

Let’s Encrypt is a free, open certificate authority (CA) that issues SSL/TLS certificates valid for 90 days. Certbot is the client software that interacts with Let’s Encrypt to obtain, install, and renew these certificates automatically. Together, they simplify HTTPS setup for servers running web software like Nginx or Apache.

Step 1: Installing Certbot

First, you need Certbot on your server. I’m using Ubuntu on a DigitalOcean droplet, so here’s how I installed it: 

sudo apt update
sudo apt install certbot python3-certbot-nginx

The python3-certbot-nginx package is for Nginx integration (use python3-certbot-apache for Apache). Verify installation with: 

certbot --version

Mine returned certbot 2.9.0 . If it’s not installed, this command will prompt you to fix it.

Step 2: Obtaining Your First Certificate

With Certbot installed, getting a certificate is straightforward. For my domain example.com , I ran: 

sudo certbot --nginx -d example.com -d www.example.com
  • --nginx : Uses Nginx for authentication and auto-configures it.
  • -d : Specifies domains (I included www too).

Certbot handles the HTTP-01 challenge (via port 80) and stores the certificate in /etc/letsencrypt/live/example.com/ . You’ll see files like fullchain.pem (certificate) and privkey.pem (key).

Step 3: Checking Certificate Locations

Certificates live in /etc/letsencrypt/live/ . List them with: 

sudo ls -l /etc/letsencrypt/live/

My output showed: 

drwxr-xr-x 2 root root 4096 Jan 30 14:05 example.com
drwxr-xr-x 2 root root 4096 Dec  2 10:41 example.com-0001
drwxr-xr-x 2 root root 4096 Feb  1 10:57 neotec.blog

Each folder holds a certificate. The -0001 suffix often means an old or duplicate cert—something to investigate.

Step 4: Checking Expiration Dates

To see when certificates expire, use OpenSSL: 

sudo openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -enddate -noout

My results:

  • example.com : notAfter=Apr 30 13:07:04 2025 GMT
  • example.com-0001 : notAfter=Mar 2 09:43:02 2025 GMT
  • neotec.blog : notAfter=May 2 09:59:02 2025 GMT

example.com-0001 was expiring soon, so I prioritized it.

Step 5: Verifying Auto-Renewal

Let’s Encrypt certs renew 30 days before expiry, but you need to confirm Certbot’s automation. Check the systemd timer: 

sudo systemctl status certbot.timer

Mine was Active: active (waiting) , running twice daily. See the schedule: 

systemctl list-timers | grep certbot

Test renewal with a dry run: 

sudo certbot renew --dry-run

My first run failed for example.com-0001 because it used the manual plugin (DNS-01 challenge), incompatible with automation without a script.

Step 6: Fixing Renewal Issues

For example.com-0001 , I switched it to Nginx: 

sudo certbot certonly --nginx -d example.com --cert-name example.com-0001 --force-renewal

This dropped the wildcard ( *.example.com ) but enabled auto-renewal. New expiry: May 22, 2025. Check the updated config: 

sudo cat /etc/letsencrypt/renewal/example.com-0001.conf

Look for authenticator = nginx .

Step 7: Validating Nginx Config

Ensure Nginx uses the right certs: 

sudo nginx -T | grep -i ssl_certificate

My output showed all three certs. I checked domains with: 

curl -Iv https://example.com

If you have duplicates (like my two example.com certs), consolidate by editing Nginx configs and deleting extras: 

sudo certbot delete --cert-name example.com-0001

Tips and Troubleshooting

  • Port 80 : Must be open for HTTP-01 challenges ( sudo ufw allow 80 ).
  • Wildcards : Need DNS-01 and manual setup (e.g., --manual --preferred-challenges dns ).
  • Logs : Check /var/log/letsencrypt/letsencrypt.log for errors.

Conclusion

Certbot and Let’s Encrypt make SSL management a breeze once you grasp the process. Install it, issue certs, check expirations, and ensure auto-renewal—you’re set. My server now runs smoothly with HTTPS, and this post is my cheat sheet for next time. Hope it helps you too!

Tags:

nginx ssl HTTPS Let’s Encrypt Certbot

Related Posts