login
  1. Home
  2. Knowledgbase
  3. Step-by-Step Guide to Installing Certbot for SSL Certificates

Step-by-Step Guide to Installing Certbot for SSL Certificates

Mar 26, 2026

What is This Guide About?

This comprehensive guide will walk you through the complete process of installing and configuring Certbot, a free tool that helps you obtain and manage SSL/TLS certificates for your websites. SSL certificates are essential for securing your website with HTTPS encryption, protecting your visitors' data and improving your site's trustworthiness.

What You'll Learn:

  1. How to install Certbot on various Linux operating systems

  1. How to configure DNS provider credentials (with focus on Cloudflare)

  1. How to set up External Account Binding (EAB) credentials

  1. How to verify your installation is working correctly

  1. Troubleshooting common installation issues
?? Estimated Time: 30-45 minutes for complete setup

Technical Overview


Platform Support Ubuntu, Debian, CentOS, RHEL
DNS Provider Cloudflare (primary), Route53, Google Cloud DNS, DigitalOcean, and others
Validation Method DNS-01 (automatic DNS record creation)
ACME Server https://demo.acme-server.com/directory

Before You Begin: Prerequisites

Before starting the installation, make sure you have the following requirements ready. This preparation will ensure a smooth installation process.

System Requirements

  1. Python 3.6 or Higher: Certbot is a Python-based application. Most modern Linux distributions come with Python 3 pre-installed. You can check your version by running: python3 --version
  2. Root or Sudo Access: You need administrative privileges to install software packages and configure system files. If you're not the root user, you'll use 'sudo' before commands. 
  3. Active Internet Connection: Required to download packages and communicate with the ACME server and DNS provider.

Required Credentials

You'll need to gather these credentials before proceeding:
  1. Cloudflare API Token or API Key
    This allows Certbot to automatically create DNS records for certificate validation. We'll show you how to create this token in the configuration steps.
  2. ACME Server EAB Credentials
    External Account Binding (EAB) credentials link your certificate requests to your account. These include an EAB Key ID and HMAC Key, which you'll receive from your ACME server administrator.
  3. Email Address
    Used for certificate expiration notifications and account recovery.

Step-by-Step Installation Process

Follow these detailed steps to install Certbot and the necessary DNS plugin on your Linux system.

Step 1: Install Certbot and DNS Plugin

The installation process varies slightly depending on your Linux distribution. Choose the section that matches your operating system.

For Ubuntu or Debian Systems

What we're doing: First, we'll update the package list to ensure we get the latest versions, then install Certbot along with the Cloudflare DNS plugin.

Open your terminal and run these commands:

sudo apt update
sudo apt install -y certbot python3-certbot-dns-cloudflare

Notes

???? Note: The '-y' flag automatically answers 'yes' to installation prompts. The 'apt update' command refreshes your system's package list to ensure you get the most current versions.

For CentOS or RHEL 8+ Systems

What we're doing: On newer CentOS/RHEL systems (version 8 and above), we use the 'dnf' package manager instead of 'yum'.

sudo dnf install -y certbot python3-certbot-dns-cloudflare

For CentOS or RHEL 7 Systems

What we're doing: Older CentOS/RHEL 7 systems require the EPEL repository and use Python 2 versions of the plugins.

sudo yum install -y epel-release
sudo yum install -y certbot python2-certbot-dns-cloudflare

Notes???? Note: EPEL (Extra Packages for Enterprise Linux) is a repository that provides additional packages not included in the standard repositories.

Alternative Method: Installing via pip

When to use this method: If you need a specific version of Certbot, or if the package isn't available in your distribution's repositories, you can install using Python's package manager (pip).

pip3 install certbot certbot-dns-cloudflare

Step 2: Verify Certbot Installation

What we're doing: It's important to confirm that Certbot was installed correctly before proceeding further.

Check the installed version:

certbot --version

Expected output:

certbot 1.32.0

Notes???? Note: The version number may be different depending on when you install. Any version 1.x or higher should work fine.

Understanding DNS Provider Plugins

Certbot supports many different DNS providers. While this guide focuses on Cloudflare, you can use any of the following providers by installing their respective plugins:

DNS Provider Plugin Package Name
Cloudflare python3-certbot-dns-cloudflare
Amazon Route53 python3-certbot-dns-route53
Google Cloud DNS python3-certbot-dns-google
DigitalOcean python3-certbot-dns-digitalocean
OVH python3-certbot-dns-ovh
Linode python3-certbot-dns-linode


Configuring Certbot: Setting Up Credentials

Now that Certbot is installed, we need to configure it with your credentials. This section covers storing your Cloudflare API credentials and ACME server credentials securely.
Info???? Security First: We'll be creating files containing sensitive credentials. The commands below set strict file permissions to ensure only the root user can read these files, protecting your API keys and tokens.

Step 3: Configure Cloudflare API Credentials

Certbot needs access to your Cloudflare account to create DNS records for certificate validation. We'll store these credentials in a secure configuration file.

3.1: Create a Secure Directory for Credentials

What we're doing: First, we create a hidden directory in the root user's home folder to store sensitive files. The directory permissions (700) ensure only root can access it.

sudo mkdir -p /root/.secrets
sudo chmod 700 /root/.secrets

3.2: Create the Cloudflare Credentials File

What we're doing: This command creates a configuration file with your Cloudflare API credentials. We'll use an API token (recommended) rather than the global API key.

sudo tee /root/.secrets/cloudflare.ini > /dev/null << 'EOF'
# Cloudflare API token (recommended - scoped permissions)
dns_cloudflare_api_token =XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EOF

WarningImportant: Replace 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' with your actual Cloudflare API token. We'll show you how to create this token in the next step.

3.3: How to Create a Cloudflare API Token


Follow these steps to generate an API token with the correct permissions:    

  1. Log in to Cloudflare Dashboard
    Visit https://dash.cloudflare.com and log in to your account.
  2. Navigate to API Tokens
    Click on your profile icon in the top right, then select 'My Profile' ? 'API Tokens' ? 'Create Token'.
  3.  Use the 'Edit zone DNS' Template
    Find the template called 'Edit zone DNS' and click 'Use template'.       
  4. Configure Permissions
    The template automatically sets the required permissions:

      Zone ? DNS ? Edit

      Zone ? Zone ? Read

  5. Select Zone Resources
    Under 'Zone Resources', select 'Include' ? 'Specific zone' ? choose your domain (e.g., example.com).
  6. Create and Copy Token
    Click 'Continue to summary', then 'Create Token'. Copy the generated token immediately—you won't be able to see it again!
  7. Add Token to Configuration File
    Paste the token into your cloudflare.ini file, replacing the XXXXXXX placeholder.

3.4: Set Secure File Permissions

What we're doing: The chmod 600 command sets the file so only the root user can read or write it. This prevents other users on the system from accessing your API token.

sudo chmod 600 /root/.secrets/cloudflare.ini

3.5: Verify Cloudflare API Access (Optional)

What we're doing: This optional step tests whether your API token is valid and has the correct permissions by making a test API call to Cloudflare.

First, extract the token from the file:

API_TOKEN=$(grep dns_cloudflare_api_token /root/.secrets/cloudflare.ini | 
cut -d '=' -f 2 | tr -d ' ')

Then test the API connection:

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer $API_TOKEN" \
     -H "Content-Type: application/json"

Expected successful response:

{
  "success": true,
  "result": {
    "status": "active"
  }
}

Step 4: Configure ACME Server EAB Credentials

External Account Binding (EAB) credentials link your certificate requests to your account with the ACME server. These credentials are provided by your ACME server administrator.

4.1: Create the EAB Configuration File

What we're doing: We're creating an environment variables file that stores your EAB credentials, email address, and ACME server URL. Using environment variables makes it easy to reference these values in commands.
sudo tee /root/.secrets/acme-eab.env > /dev/null << 'EOF'
# ACME Server EAB Credentials
export EAB_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
export HMAC_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
export EMAIL="admin@example.com"
export ACME_SERVER="https://demo.acme-server.com/directory"
EOF

WarningImportant: Replace the placeholder values with your actual credentials:

  1. EAB_KEY: Your External Account Binding Key ID
  2. HMAC_KEY: Your HMAC Key for authentication
  3. EMAIL: Your email address for notifications
  4. ACME_SERVER: Your ACME server's directory URL
4.2: Set Secure File Permissions
sudo chmod 600 /root/.secrets/acme-eab.env

4.3: Load the Configuration

What we're doing: The 'source' command loads the environment variables into your current shell session, making them available for use in subsequent commands.
source /root/.secrets/acme-eab.env

4.4: Make Configuration Persistent (Optional)

What we're doing: If you want these environment variables to be automatically loaded every time you open a new terminal session, add the source command to your .bashrc file.

echo "source /root/.secrets/acme-eab.env" >> /root/.bashrc

Notes
This is optional but convenient. If you skip this step, you'll need to run the 'source' command manually each time you want to use these credentials in a new terminal session.

 Verifying Your Installation

Before proceeding to issue certificates, let's verify that everything is installed and configured correctly. These verification steps will help you catch any configuration issues early.

Step 5: Run Verification Tests

5.1: Verify Certbot Installation

What we're checking: This displays Certbot's help information, confirming the command-line tool is properly installed and accessible.
certbot --help

5.2: Check DNS Plugin Availability

What we're checking: This command lists all installed Certbot plugins. You should see the Cloudflare DNS plugin in the output.
certbot --help

Expected output (should include):
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS)

5.3: Verify Credentials Files Exist

What we're checking: This confirms that your credentials files were created in the correct location with the proper permissions.
ls -la /root/.secrets/

Expected output:
total 16
drwx------ 2 root root 4096 Feb  9 10:00 .
drwx------ 6 root root 4096 Feb  9 10:00 ..
-rw------- 1 root root  150 Feb  9 10:00 acme-eab.env
-rw------- 1 root root  200 Feb  9 10:00 cloudflare.ini

? What to Look For: The directory should have 'drwx------' permissions (700), and both files should have '-rw-------' permissions (600). This means only root can read these files.


Sections

Quick Links

SSL Brands

Https Links

Have any Questions

Call HTTPS

If you have any questions, feel free to call us

Call: +91-22-42978097

sales@https.in