Use Certbot to provision LetsEncrypt SSL certificates — manually & quickly

Rakib Al Hasan
3 min readDec 12, 2020


Photo by Franck on Unsplash

The problem statement

You do not have an automated HTTPS/SSL certificate renewal system in place. You purchase the certificate files and install the certificate files yourself in your servers. However, this time you somehow missed the deadline and your HTTPS/SSL certificate got expired already.

Your service is now unavailable to your consumers. This downtime is costing your business revenue. You do not have the time to wait for your IT/Ops team to go through the entire process of applying, approving, procuring, purchasing a new SSL certificate.

The quick solution

In such cases, you may consider quickly installing a DV (domain-verified) SSL Certificate by using LetsEncrypt’s CertBot utility to get your service up & running for business.

First, install CertBot in your local machine

Install CertBot on MacOS via homebrew.

$ brew update
$ brew install certbot

Install CertBot on Ubuntu via apt-get

$ apt-get install letsencrypt

Install CertBot via git — refer to this medium post for fixing locale errors

$ cd /opt
$ git clone
$ cd certbot && ./certbot-auto

Generate new cert file(s) issued by LetsEncryptCA

Prerequisite: You will need to have access to your DNS tool to be able to set TXT records for your [sub]domain(s)

$ certbot certonly \
--manual \
--domain=",,*,etc" \
--preferred-challenges=dns \
--agree-tos \
# OPTIONAL parameterss below \
# \
# --non-interactive \
# --manual-auth-hook=manual-auth-hook.txt \
# --test-cert # remove this for production certificates

After running the above command, you will be asked to confirm some prompts and you will be instructed when to add a specific TXT record in your DNS — meanwhile, the command will pause (and stay paused) to let you complete adding the TXT record.

Once your TXT record is added (and propagated by your DNS), hit ENTER on the Certbot prompt for itto continue - it will then verify the TXT record that you just added into your DNS.

Upon successful verification, it will generate the cert file(s) & save them into your local filesystem as shown below.

$ certbot certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name:
Serial Number: sj47gnv71la7----------3snv6dktph
Expiry Date: 2021-01-10 19:19:30+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Obtain the newly generated cert file(s)

Go to the directory as mentioned in the output of your certbot command.

$ cd /etc/letsencrypt/live/

You will find 4 files sym-linked here:

  • cert.pem — the public certificate file of the (sub)domain(s)
  • chain.pem — the public certificate file of the CertificateAuthority issuing these certificates — LetsEncryptCA in this case
  • fullchain.pem — a concatenation of the above 2 files - usually required instead of the single public certificate file alone
  • privkey.pem — the private certificate file of the (sub)domain(s)

You can install these cert files into your server as per the instructions of your server.

The real solution is different though

This quickfix solution above is to help you get your services up & running quickly. However, note that LetsEncrypt certificates usually expire within 3 months time. So you will have to go through all of this again in just 3 months time. Take this time to implement a sustainable / managed / auto-renewing solution for your SSL requirements.



Rakib Al Hasan

DevOps Engineer, Backend Developer, Cloud Architect, Night time drive-outs & nice hangouts