1. Introduction
certbot is a popular tool that automates the process of obtaining and renewing free TLS/SSL certificates from the Let’s Encrypt Certificate Authority. This tool makes it easy to set up HTTPS on web servers to ensure secure connections. In addition, we can use it with Spring Boot applications, mail servers such as Postfix, proxy servers such as Nginx in reverse proxy configurations, database servers running PostgreSQL, and other services that require secure TLS/SSL connections.
certbot plugins extend the functionality of certbot by automating various aspects of the certificate management process. They can be authenticators, which handle the process of proving domain ownership, and installers, which configure the web server to use the obtained certificates.
In this tutorial, we’ll see how to install plugins that extend certbot‘s capabilities.
2. Recommendations and Restrictions
Official plugins are the subject of this tutorial, as third-party plugins may have separate installation instructions on their own GitHub pages. Only third-party plugins distributed as snaps are installed in the same way as official plugins.
When preparing to install certbot and its plugins, we should consider these restrictions:
- We need to run certbot directly on a server, typically a VPS via SSH
- As of February 2024, certbot no longer supports Windows, and macOS support is poor, so **we’ll focus exclusively on GNU/Linux servers
** - Running certbot as root allows proper operation and automatic TLS/SSL configuration
- certbot can’t install certificates or configure a web server from inside a Docker container
- **The official recommendation is to use snap to install certbot and its plugins
** - However, some third-party plugins may require installation via pip in a virtual environment
- We can also install certbot and some of its plugins using package managers, but these packages become outdated very quickly
- Let’s make sure we install certbot and its plugins using the same method (snap, pip, or package manager) to avoid compatibility issues
- The certbot-auto script, often still used on older servers, is deprecated as of December 2020 and should be removed
The advantage of installing certbot via snap is that it stays up to date automatically, comes pre-configured with automatic TSL/SSL renewal, and all DNS plugins are available. However, before installing certbot plugins via snap, we should remove certbot-auto and any certbot OS packages.
Finally, in the case of shared hosting, we can consult certbot‘s documentation about hosting providers.
3. Installing certbot Plugins via snap
snap allows us to install and run Linux software packages, called snaps, in a containerized environment. This simplifies installation since snaps include all their dependencies and are compatible with almost all Linux distributions.
By default, snaps are isolated from each other and from the system, but certbot requires classic support via the –classic flag, which allows snaps to access system resources and user files more freely, similar to traditional Linux packages.
3.1. Installing snap
We find snap preinstalled and ready to use on several popular Linux distributions, including KDE Neon, Solus, Ubuntu 18.04 and above, Manjaro, and Zorin OS. This means that we can immediately start installing snaps on these systems without any additional setup.
For other popular distributions such as Debian, Linux Mint, Arch Linux, Fedora, openSUSE, and others, we must carefully follow specific installation instructions, which often involve manually enabling the classic support mentioned above.
3.2. Installing certbot Snaps
Once snap is installed and any certbot OS packages are removed, the following instructions are the same for any Linux distribution. First, let’s install certbot:
$ sudo snap install --classic certbot
certbot 2.10.0 from Certbot Project (certbot-eff✓) installed
By Linux standards, executables are typically placed in /usr/bin. It’s a good practice to create a symbolic link for certbot in /usr/bin for easy access, making certbot readily available for execution without having to specify its full path. This also improves compatibility with scripts and services that expect to find certbot in /usr/bin:
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Next, let’s check the installed plugins:
$ certbot plugins
[...]
* apache
[...]
* nginx
[...]
* standalone
[...]
* webroot
[...]
So currently we only have four plugins. Let’s see what other certbot snaps are available:
$ snap find certbot
Name Version Publisher Notes Summary
certbot 2.10.0 certbot-eff✓ classic Automatically configure HTTPS using Let's Encrypt
certbot-dns-cloudxns 1.32.2 certbot-eff✓ - CloudXNS DNS Authenticator plugin for Certbot
certbot-dns-cloudflare 2.10.0 certbot-eff✓ - Cloudflare DNS Authenticator plugin for Certbot
certbot-dns-dnsmadeeasy 2.10.0 certbot-eff✓ - DNS Made Easy DNS Authenticator plugin for Certbot
certbot-dns-dnsimple 2.10.0 certbot-eff✓ - DNSimple DNS Authenticator plugin for Certbot
[...]
At the time of writing this tutorial, the list of certbot snaps includes 34 plugins, 14 of which are official and 20 are third-party. Before we continue, we need to set the containment level of the plugins. This command ensures that the plugins we are going to install have the same classic containment as the certbot snap:
$ sudo snap set certbot trust-plugin-with-root=ok
As an example, let’s try to install the official certbot-dns-cloudflare plugin:
$ sudo snap install certbot-dns-cloudflare
certbot-dns-cloudflare 2.10.0 from Certbot Project (certbot-eff✓) installed
Let’s check if certbot sees the new plugin:
$ certbot plugins
[...]
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
[...]
Everything went as planned. To use this plugin, there is official documentation on DNS plugins.
4. Installing certbot Plugins via Package Managers
There are still philosophical and technical reasons to prefer our distribution’s package manager over snap. Some distributions have chosen not to support snap due to concerns about the centralization of the snap store, potential performance and integration issues, and the imposition of snapd as a dependency for certain applications.
Let’s take Linux Mint 21 as an example, where snap is disabled by default, although we can enable it manually. Let’s see what packages are related to certbot:
$ apt-cache search --names-only certbot
[...]
python3-certbot - main library for certbot
python3-certbot-apache - Apache plugin for Certbot
python3-certbot-dns-cloudflare - Cloudflare DNS plugin for Certbot
python3-certbot-dns-digitalocean - DigitalOcean DNS plugin for Certbot
python3-certbot-dns-dnsimple - DNSimple DNS plugin for Certbot
python3-certbot-dns-gandi - Gandi LiveDNS plugin for Certbot
[...]
In this case, we only need to install the package of the plugin we want. The automatic dependency management system installs both cerbot and any other necessary packages:
$ sudo apt update && sudo apt install python3-certbot-dns-cloudflare
[...]
The following NEW packages will be installed:
certbot python3-acme python3-certbot python3-certbot-dns-cloudflare
python3-cloudflare python3-configargparse python3-josepy
python3-openssl python3-parsedatetime python3-zope.component
python3-zope.event python3-zope.hookable python3-zope.interface
[...]
Let’s verify that the installation was successful:
$ sudo certbot plugins
[...]
* dns-cloudflare
[...]
However, if we try to run certbot right after installation, we get a bunch of errors, probably specific to this setup on Linux Mint 21. This is because the Python modules requests_toolbelt and urllib3 are too old and need an upgrade. We can easily fix the problem:
$ pip install --upgrade urllib3 requests_toolbelt
Let’s check the version of certbot:
$ certbot --version
certbot 1.21.0
This is definitely an old version. At the time of writing this tutorial, certbot is up to version 2.10.0, which was released on April 3, 2024. Version 1.21.0, on the other hand, dates back to November 4, 2021. It may work fine even if it’s old, but if not, we need to remove it and reinstall certbot with snap or pip.
As for other Linux distributions, the latest versions of Debian and Fedora have the certbot 2.9.0 package, which is definitely newer, and openSUSE has the latest version 2.10.0. In these cases, there’s no obsolescence problem.
5. Installing certbot Plugins via pip
Most third-party plugins are only available through pip, a package management system for installing and managing Python libraries and dependencies. A major advantage of pip is its independence from Linux distributions, as its commands work the same way on all distributions, provided that the version of Python and the installed libraries are the same.
5.1. Installing Python
certbot requires Python 3 and several other dependencies to work properly. In apt-based distributions, we need these packages:
$ sudo apt update
$ sudo apt install python3 python3-venv libaugeas0
On rpm-based distributions, we need these packages instead:
$ sudo dnf install python3 augeas-libs
On other distributions, these packages may have slightly different names.
5.2. Installing certbot on a Virtual Environment
Before installing certbot, we need a virtual environment, which is an isolated Python environment that allows us to manage dependencies for a specific project without interfering with other projects. So let’s create a virtual environment in /opt/certbot/:
$ sudo python3 -m venv /opt/certbot/
We are ready to run pip in the virtual environment and update it to the latest version:
$ sudo /opt/certbot/bin/pip install --upgrade pip
[...]
Successfully uninstalled pip-22.0.2
Successfully installed pip-24.0
The packages available for certbot are really many, almost three hundred:
$ sudo /opt/certbot/bin/python -m pypisearch -p 1-99 certbot
certbot (2.10.0) ACME client
certbot-dns-azure (2.5.0) Azure DNS Authenticator plugin for Certbot
certbot-dns-powerdns (0.2.1) PowerDNS DNS Authenticator plugin for Certbot
certbot-dns-powerdns-admin (0.2.3) PowerDNS DNS Authenticator plugin for Certbot
[...]
The same plugin we used in the previous examples is available in two versions:
$ sudo /opt/certbot/bin/python -m pypisearch -p 1-99 certbot | grep cloudflare
certbot-dns-cloudflare (2.10.0) Cloudflare DNS Authenticator plugin for Certbot
certbot-dns-cloudflare-cname (1.0.1) Cloudflare DNS Authenticator plugin for Certbot with CNAME support.
Let’s install the first one:
$ sudo /opt/certbot/bin/pip install certbot certbot-dns-cloudflare
As in the case of snap, we again create a symbolic link in /usr/bin/:
$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
Now certbot is ready for use:
$ certbot plugins
[...]
* dns-cloudflare
[...]
However, the main limitations of pip compared to snap are the lack of automatic updates of certbot and its dependencies, and the lack of automatic TLS/SSL certificate renewals.
5.3. Managing Updates
We can set up automatic certificate renewal by running a cronjob twice a day with a random pause of up to one hour. After the random pause, the command to renew SSL certificates using certbot will be executed:
$ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; \
time.sleep(random.random() * 3600)' && sudo certbot renew -q" | \
sudo tee -a /etc/crontab > /dev/null
$ cat /etc/crontab
[...]
0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time [...]
The introduction of random pausing helps to prevent the server from performing certificate renewals at exactly the same times every day, thus spreading the load on the certificate servers.
Finally, it’s important to update certbot and its plugins from time to time. We can do it manually:
$ sudo /opt/certbot/bin/pip install --upgrade certbot certbot-dns-cloudflare
For certbot and plugins updates, it’s best not to use crontab, as manual updates allow us to monitor the process and fix any problems that may arise during the update.
6. Conclusion
In this article, we learned how to extend certbot‘s capabilities with plugins. We started by understanding certbot‘s role in managing TLS/SSL certificates for secure connections and reviewed the types of plugins available, highlighting their importance in automating certificate management.
Then we went step-by-step through the different ways to install certbot plugins. The recommended method is snap for simplicity and automatic updates. Alternative methods using package managers and pip are also valid under certain circumstances.
Following these installation guidelines ensure a safe setup. Let’s not forget that keeping installations up to date through automatic or manual updates is critical for ongoing security.