Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Installation and Usage of Certbot on CentOS to Obtain a Let’s Encrypt Wildcard TLS/SSL Certificate.

Requesting a Wildcard Certificate with Certbot on CentOS

To request a Let's Encrypt wildcard certificate there are the following prerequisites:

  • The client must support ACME v2 (i.e Certbot >= 0.22.0)
  • The DNS-01 challenge type must be used.
  • The --server option or configuration directive must be changed to the appropriate v2 endpoint.


Install certbot-auto

# mkdir -p /opt/{bin,certbot/bin} \
  && curl -sS \
    -o /opt/certbot/bin/certbot-auto \ \
  && chmod 711 /opt/certbot/bin/certbot-auto \
  && ln -sf \
    /opt/certbot/bin/certbot-auto \

Add /opt/bin to PATH

# cat > /etc/profile.d/ <<-EOT
	#!/usr/bin/env bash

	pathmunge /opt/bin


Source the profile

# source /etc/profile

Install certbot

# certbot-auto -nq


This method is useful if generating certificates on a server other than the target host.

Note: This will make a request to the staging server, when ready to request from the live, (rate limited), service you should change to the production server endpoint:

Note: The --server option conflicts with both --test-cert and --staging options but warnings are restricted to the --staging option with the error: --server value conflicts with --staging.

# certbot-auto certonly \
  --server \
  --agree-tos \
  --preferred-challenges dns \
  --domains * \
  --email \
  --manual \
  --manual-public-ip-logging-ok \
  --no-eff-email \

Apache installation

Link Live Certificates to Apache Certificate File Paths

Either update the VirtualHost paths for SSLCertificateChainFile, SSLCertificateKeyFile and SSLCertificateFile to /etc/letsencrypt/live/, /etc/letsencrypt/live/ and /etc/letsencrypt/live/ directly or create symbolic links from the existing paths to the Let's Encrypt live certificate files.

The SSLCertificateChainFile shouldn't be necessary when using the full chain in the SSLCertificateFile but without this SSL fails after renewal with an error "This server’s certificate chain is incomplete".

# mkdir -p \
    /var/www/ssl/ \
  && ln -sf \
    /etc/letsencrypt/live/ \
    /var/www/ssl/ \
  && ln -sf \
    /etc/letsencrypt/live/ \
    /var/www/ssl/ \
  && ln -sf \
    /etc/letsencrypt/live/ \

Reload Apache

# apachectl graceful

Renewing certificates

The renew sub-command can be run periodically, (twice a day is recommended), via cron or a systemd timer.

# certbot-auto renew \
  --server \
  --manual-auth-hook true \
  --quiet \
  --no-self-upgrade \
  --post-hook "apachectl graceful"

Example crontab entry

The following example will run the renew sub-command at 05:27 and 21:27 daily.

27 5,21 * * * /opt/bin/certbot-auto renew --server --manual-auth-hook true --quiet --no-self-upgrade --post-hook "apachectl graceful" >> /var/log/certbot.log 2>&1


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment