DevTools
Quick Reference
Portfolio

Let's Encrypt - Certificates

Cheatsheet Certificate

Issue, renew, and manage SSL certificates with Let's Encrypt and Certbot

Certificate - Issue with NGINX

Issue SSL certificate and auto-configure NGINX (recommended).

sudo certbot --nginx -d example.com -d www.example.com

Certificate - Issue with Apache

Issue SSL certificate and auto-configure Apache.

sudo certbot --apache -d example.com -d www.example.com

Certificate - Issue Standalone

Use standalone mode when no web server is running.

sudo certbot certonly --standalone -d example.com

Note: Port 80 must be available.

Certificate - Wildcard Domain

Issue wildcard certificate using DNS-01 challenge (HTTP-01 cannot issue wildcards).

Cloudflare DNS

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
  -d example.com -d '*.example.com'

Cloudflare Credentials

Create ~/.secrets/cloudflare.ini:

dns_cloudflare_api_token = YOUR_API_TOKEN

Set permissions:

chmod 600 ~/.secrets/cloudflare.ini

Renewal - Test Dry Run

Test certificate renewal without actually renewing.

sudo certbot renew --dry-run

Renewal - Force Renew

Force renewal even if not expiring soon.

sudo certbot renew --force-renewal

Renewal - Specific Domain

Renew only a specific domain certificate.

sudo certbot renew --cert-name example.com

Auto-Renewal - Check Timer

Check if systemd auto-renewal timer is active.

systemctl list-timers | grep certbot

Auto-Renewal - Timer Status

View detailed status of renewal timer.

sudo systemctl status certbot.timer

Auto-Renewal - Enable Timer

Enable automatic certificate renewal.

sudo systemctl enable --now certbot.timer

Auto-Renewal - Cron Setup

Manual cron setup for auto-renewal.

Add to /etc/cron.d/certbot:

0 3 * * * root certbot renew --quiet

Certificate Locations

Certificates are stored in /etc/letsencrypt/live/<domain>/.

FilePurpose
fullchain.pemCertificate + chain (use in NGINX)
privkey.pemPrivate key
cert.pemCertificate only
chain.pemIntermediate certificates

NGINX Configuration

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Apache Configuration

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Verify - Check Expiry Date

Check when certificate expires.

sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -enddate

Verify - View Full Details

View complete certificate information.

sudo openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -noout -text

Verify - Test HTTPS

Test if HTTPS is working.

curl -I https://example.com

Verify - SSL Labs Test

Online SSL quality test.

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Utility - List Certificates

List all installed certificates.

sudo certbot certificates

Utility - Delete Certificate

Remove certificate completely.

sudo certbot delete --cert-name example.com

Utility - Revoke Certificate

Revoke a certificate (before deletion).

sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

Web Server - Reload NGINX

Reload NGINX after certificate changes.

sudo nginx -t              # Test config
sudo systemctl reload nginx

Web Server - Reload Apache

Reload Apache after certificate changes.

sudo apachectl configtest  # Test config
sudo systemctl reload apache2

Certificate - Multiple Domains

Issue single certificate for multiple domains (SAN certificate).

sudo certbot certonly --nginx \
  -d example.com \
  -d www.example.com \
  -d api.example.com \
  -d admin.example.com

Certificate - Webroot Method

Use webroot plugin for existing web server.

sudo certbot certonly --webroot \
  -w /var/www/html \
  -d example.com -d www.example.com

Renewal Hooks

Run commands before/after renewal.

Pre Hook

Run before renewal (stop services):

sudo certbot renew --pre-hook "systemctl stop nginx"

Post Hook

Run after renewal (restart services):

sudo certbot renew --post-hook "systemctl start nginx"

Deploy Hook

Run only if renewal succeeded:

sudo certbot renew --deploy-hook "systemctl reload nginx"

Configure Renewal Hooks

Add hooks to renewal configuration.

Edit /etc/letsencrypt/renewal/example.com.conf:

[renewalparams]
pre_hook = systemctl stop nginx
post_hook = systemctl start nginx
deploy_hook = systemctl reload nginx