Skip to main content
Back to Blog
Server & DevOpsNovember 12, 20257 min read

Automated SSL Certificate Management with Certbot

Automate SSL certificate issuance and renewal with Certbot and Let's Encrypt for Nginx and Apache servers, including wildcard certificates and DNS-01 challenges.

Introduction

Manual SSL certificate management is error-prone and a common cause of unexpected downtime. Expired certificates break user trust, trigger browser warnings, and can take down entire services. Certbot automates the entire lifecycle — from issuance to renewal — using the free Let's Encrypt certificate authority.

This guide covers Certbot installation, automatic Nginx and Apache configuration, wildcard certificates via DNS-01 challenges, and renewal automation.

Installing Certbot

sudo apt update
sudo apt install -y certbot

# For Nginx
sudo apt install -y python3-certbot-nginx

# For Apache
sudo apt install -y python3-certbot-apache

Obtaining Certificates for Nginx

# Interactive mode (auto-configures Nginx)
sudo certbot --nginx -d example.com -d www.example.com

# Non-interactive mode for automation
sudo certbot --nginx --non-interactive --agree-tos \
  --email admin@example.com \
  -d example.com -d www.example.com

Certbot automatically modifies your Nginx server block to include the SSL certificate paths and redirects HTTP to HTTPS.

Wildcard Certificates with DNS-01

Wildcard certificates require DNS-01 validation. For AWS Route 53:

sudo apt install -y python3-certbot-dns-route53

sudo certbot certonly \
  --dns-route53 \
  --non-interactive \
  --agree-tos \
  --email admin@example.com \
  -d "example.com" \
  -d "*.example.com"

Ensure the server has an IAM role or credentials with Route 53 write permissions for the hosted zone.

Automatic Renewal

Certbot installs a systemd timer that checks for renewals twice daily:

# Verify the timer is active
sudo systemctl status certbot.timer

# Test renewal without making changes
sudo certbot renew --dry-run

For custom post-renewal actions (reloading Nginx, for example), create a deploy hook:

sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh > /dev/null <<'EOF'
#!/bin/bash
systemctl reload nginx
EOF
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Monitoring Certificate Expiry

Even with automation, monitoring is essential. Use a simple cron job to alert on certificates expiring within 14 days:

# Add to root crontab
0 8 * * * /usr/bin/openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -checkend 1209600 || echo "SSL cert expiring soon" | mail -s "SSL Alert" admin@example.com

Best Practices

  • Always use the --non-interactive flag in automation scripts
  • Keep Certbot updated to support the latest ACME protocol features
  • Use certbot certificates to list all managed certificates and their expiry dates
  • Store DNS provider credentials securely with restricted file permissions

For more on securing your servers, read our SSH hardening guide for Ubuntu. Our server management service includes full SSL lifecycle management.

Certbot eliminates the risk of expired certificates by automating issuance and renewal. Whether you manage a single domain or hundreds of subdomains with wildcard certificates, the setup takes minutes and runs unattended indefinitely.

Need help with this?

Our team handles this kind of work daily. Let us take care of your infrastructure.

View Related Service Book a Free Call

Related Articles

Server & DevOps

Nginx vs Apache: Performance Benchmark for 2026

A head-to-head performance benchmark comparing Nginx and Apache in 2026 across throughput, memory usage, and latency for static files, PHP, and reverse proxy workloads.