Let'sEncrypt Automatic Certificate Renewal on Linux (Certbot)
This document explains how to obtain and automatically renew SSL/TLS certificates using Let's Encrypt on Linux systems.
The steps use Certbot, the officially recommended ACME client, and apply to most modern Linux distributions.
Contents
- Install Certbot
- Obtain the initial certificate
- Web server integration (Nginx / Apache)
- Enable automatic renewal
- Reload the web server after renewal
- Test the renewal process
- Verify certificate expiration
1. Install Certbot
RHEL / CentOS / Rocky / AlmaLinux
sudo dnf install epel-release -y
sudo dnf install certbot -y
Install a web server plugin:
sudo dnf install python3-certbot-nginx
# or
sudo dnf install python3-certbot-apache
Debian / Ubuntu
sudo apt update
sudo apt install certbot -y
Install a web server plugin:
sudo apt install python3-certbot-nginx
# or
sudo apt install python3-certbot-apache
2. Obtain the Initial Certificate
For Nginx
sudo certbot --nginx
For Apache
sudo certbot --apache
Certificates are stored under:
/etc/letsencrypt/live/your-domain/
3. Enable Automatic Renewal
systemd timer (recommended)
systemctl list-timers | grep certbot
Enable if needed:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
4. Reload Web Server After Renewal
sudo certbot renew --deploy-hook "systemctl reload nginx"
5. Test Renewal
sudo certbot renew --dry-run
6. Check Expiration
sudo certbot certificates