Introduction
Manual SSL certificate management is error-prone and a common cause of unexpected downtime. Expired certificates break user trust, trigger browser warnings, and can take down entire services. Certbot automates the entire lifecycle - from issuance to renewal - using the free Let's Encrypt certificate authority.
This guide covers Certbot installation, automatic Nginx and Apache configuration, wildcard certificates via DNS-01 challenges, and renewal automation.
Installing Certbot
sudo apt update
sudo apt install -y certbot
# For Nginx
sudo apt install -y python3-certbot-nginx
# For Apache
sudo apt install -y python3-certbot-apache
Obtaining Certificates for Nginx
# Interactive mode (auto-configures Nginx)
sudo certbot --nginx -d example.com -d www.example.com
# Non-interactive mode for automation
sudo certbot --nginx --non-interactive --agree-tos \
--email admin@example.com \
-d example.com -d www.example.com
Certbot automatically modifies your Nginx server block to include the SSL certificate paths and redirects HTTP to HTTPS.
Wildcard Certificates with DNS-01
Wildcard certificates require DNS-01 validation. For AWS Route 53:
sudo apt install -y python3-certbot-dns-route53
sudo certbot certonly \
--dns-route53 \
--non-interactive \
--agree-tos \
--email admin@example.com \
-d "example.com" \
-d "*.example.com"
Ensure the server has an IAM role or credentials with Route 53 write permissions for the hosted zone.
Automatic Renewal
Certbot installs a systemd timer that checks for renewals twice daily:
# Verify the timer is active
sudo systemctl status certbot.timer
# Test renewal without making changes
sudo certbot renew --dry-run
For custom post-renewal actions (reloading Nginx, for example), create a deploy hook:
sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh > /dev/null <<'EOF'
#!/bin/bash
systemctl reload nginx
EOF
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
Monitoring Certificate Expiry
Even with automation, monitoring is essential. Use a simple cron job to alert on certificates expiring within 14 days:
# Add to root crontab
0 8 * * * /usr/bin/openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -checkend 1209600 || echo "SSL cert expiring soon" | mail -s "SSL Alert" admin@example.com
Best Practices
- Always use the
--non-interactiveflag in automation scripts - Keep Certbot updated to support the latest ACME protocol features
- Use
certbot certificatesto list all managed certificates and their expiry dates - Store DNS provider credentials securely with restricted file permissions
For more on securing your servers, read our SSH hardening guide for Ubuntu. Our server management service includes full SSL lifecycle management.
Certbot eliminates the risk of expired certificates by automating issuance and renewal. Whether you manage a single domain or hundreds of subdomains with wildcard certificates, the setup takes minutes and runs unattended indefinitely.
Talk to the engineer who will own your stack.
No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.
Related Articles
SRE vs DevOps and Why The Difference Decides Your Uptime
SRE and DevOps get used as if they are the same thing. They are not, and the difference is exactly what decides whether your service stays up. A plain explanation of what SRE is and when you need it.
Server & DevOpsHow To Start Doing SRE With SLOs And Error Budgets
You do not need a big team to start doing SRE. You need one SLO and an error budget. A practical, plain-English guide to your first Site Reliability Engineering steps, with a worked example.
Server & DevOpsTwenty Five Years From Compiling Apache By Hand To Prompting An AI
Twenty five years took us from compiling Apache by hand to prompting an AI, and every layer taught the same lesson. Why IT plus AI is not DevOps, why missing depth ends startups fast, and why the real risk sits in the CTO chair.