Let's Encrypt — Useful Commands & Troubleshooting

Let’s Encrypt — Useful Commands & Troubleshooting#

A compact toolbox of common Certbot commands, copy-ready snippets, and real-world fixes engineers frequently use while working with Let’s Encrypt.
This is not a step-by-step guide — just the things you actually search for in production.

🔧 Install Certbot#

Ubuntu / Debian#

sudo apt update
sudo apt install certbot python3-certbot-nginx

RHEL / CentOS#

sudo dnf install certbot python3-certbot-nginx

🔒 Issue New Certificates#

Issue certificate (NGINX)#

sudo certbot --nginx -d example.com -d www.example.com

Issue certificate (Apache)#

sudo certbot --apache -d example.com

Standalone mode (when no web server is running)#

sudo certbot certonly --standalone -d example.com

DNS Challenge (e.g., Cloudflare)#

Useful for wildcard certificates.

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
  -d example.com -d '*.example.com'

♻️ Renewal Commands#

Test renewal#

sudo certbot renew --dry-run

Force renewal#

sudo certbot renew --force-renewal

Check auto-renew timer (systemd)#

systemctl list-timers | grep certbot

📂 Certificate File Locations#

/etc/letsencrypt/live/<domain>/fullchain.pem
/etc/letsencrypt/live/<domain>/privkey.pem
/etc/letsencrypt/live/<domain>/chain.pem

🧪 Verification Commands#

Check certificate expiry#

sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -enddate

View certificate details#

sudo openssl x509 -in fullchain.pem -noout -text

Test HTTPS endpoint#

curl -I https://example.com

🐞 Common Errors & Fixes#

❗ Port 80 Already in Use#

Problem binding to port 80.

Find process:

sudo lsof -i :80

Stop conflicting service:

sudo systemctl stop <service>

Alternatively use DNS challenge:

sudo certbot certonly --dns-cloudflare ...

❗ NGINX Plugin Not Found#

The nginx plugin is not installed.

Install plugin:

sudo apt install python3-certbot-nginx

❗ Cloudflare SSL Errors (525 / handshake failed)#

Fix checklist:

• Set Cloudflare SSL mode → Full, not “Full (Strict)”
• Disable “Always Use HTTPS” temporarily
• Ensure server certificate is valid

❗ Auto-Renew Not Executing#

Check logs:

sudo cat /var/log/letsencrypt/letsencrypt.log

Run manually:

sudo certbot renew --dry-run

❗ Wildcard certificate not issued#

Wildcard certificates require DNS-01 challenge — HTTP-01 cannot issue them.

🧰 Utility Commands#

List installed certificates#

sudo certbot certificates

Delete a certificate#

sudo certbot delete --cert-name example.com

Reload web server after renewal#

NGINX:

sudo systemctl reload nginx

Apache:

sudo systemctl reload apache2

📝 Tip#

If you’re using Load Balancers, Proxies, or Cloudflare in front of your server, always ensure that:

• Port 80 is reachable for HTTP-01 challenges
• DNS records propagate before re-issuing
• Certificates are reloaded after renewal