{"id":3921,"library":"certbot","title":"Certbot","description":"Certbot is an easy-to-use ACME client developed by the EFF, designed to automate the process of obtaining and renewing free SSL/TLS certificates from Certificate Authorities like Let's Encrypt. It simplifies the setup of HTTPS on web servers by automatically configuring popular servers like Apache and Nginx. Currently at version 5.5.0, Certbot maintains an active development cycle with regular releases, typically on a monthly or bi-monthly basis.","status":"active","version":"5.5.0","language":"en","source_language":"en","source_url":"https://github.com/certbot/certbot","tags":["security","certificates","letsencrypt","acme","cli","https"],"install":[{"cmd":"pip install certbot","lang":"bash","label":"Basic installation (without web server plugins)"},{"cmd":"pip install 'certbot[apache]' # For Apache plugin\npip install 'certbot[nginx]'  # For Nginx plugin","lang":"bash","label":"Installation with web server plugins (recommended for automatic configuration)"},{"cmd":"sudo apt install certbot python3-certbot-apache # On Debian/Ubuntu for Apache\nsudo dnf install certbot python3-certbot-nginx   # On RHEL/Fedora for Nginx","lang":"bash","label":"System package manager installation (recommended for server deployments)"}],"dependencies":[{"reason":"Required by certbot-nginx plugin (>=3.0.0 since v5.4.0).","package":"pyparsing","optional":true},{"reason":"System dependency often required for Apache plugin for configuration parsing.","package":"augeas","optional":true}],"imports":[{"note":"Certbot is designed for CLI execution on a web server, not as a Python library for direct application integration.","symbol":"certbot","correct":"Certbot is primarily a command-line utility. Direct programmatic import and use of its core functionality is generally not recommended for end-users managing certificates. For programmatic interaction with the ACME protocol, consider using the 'acme' library (from 'from acme import ...')."}],"quickstart":{"code":"# To obtain and install a certificate for example.com using the Nginx plugin:\nsudo certbot --nginx -d example.com -d www.example.com\n\n# To obtain a certificate without installing it (e.g., for manual setup):\nsudo certbot certonly --webroot -w /var/www/html -d example.com\n\n# To renew all certificates automatically (typically run via cron):\nsudo certbot renew --dry-run # Test renewal without actual changes\nsudo certbot renew","lang":"bash","description":"Certbot's primary interface is the command line. These examples show how to obtain and install a certificate for Nginx, obtain a certificate using the webroot method, and perform a renewal. For full automation, `certbot renew` is typically scheduled via a cron job."},"warnings":[{"fix":"Review your code for direct dependencies on `acme.crypto_util.SSLSocket` or `pyopenssl` x509/PKey objects if you were using Certbot's internal APIs. Most users interacting via CLI will be unaffected.","message":"In `v5.0.0`, Certbot removed final instances of `pyopenssl` x509 and PKey objects, and `acme.crypto_util.SSLSocket` was removed. Code directly interacting with these specific internal APIs will break.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Ensure `certbot` is installed with the appropriate extras (`pip install 'certbot[apache]'` or `pip install 'certbot[nginx]'`). If you had custom programmatic interactions with plugin internals, review the new `certbot` package structure.","message":"As of `v5.5.0`, nearly all code for `certbot-nginx` and `certbot-apache` plugins has been moved into private modules within the `certbot` package, which now offers 'apache' and 'nginx' extras. While command-line users should notice no major changes, programmatic users or those with custom plugin integrations might be affected by this architectural shift in package structure and import paths. Existing `certbot-apache` and `certbot-nginx` packages now primarily serve as dependencies that register the plugin functionality.","severity":"breaking","affected_versions":">=5.5.0"},{"fix":"Avoid using `acme.crypto_util.make_self_signed_cert` and `certbot.ocsp` in any custom scripts or integrations.","message":"The function `acme.crypto_util.make_self_signed_cert` was deprecated in `v5.1.0` and will be removed in a future release. Additionally, the `certbot.ocsp` module was deprecated in `v5.5.0` and will be removed in the next major release.","severity":"deprecated","affected_versions":">=5.1.0 (for `make_self_signed_cert`), >=5.5.0 (for `certbot.ocsp`)"},{"fix":"Include `--preferred-profile shortlived` when requesting IP address SANs with Let's Encrypt to ensure successful issuance: `certbot certonly --standalone --ip-address <your_ip> --preferred-profile shortlived`.","message":"When requesting certificates with IP address SANs using the standalone or manual plugin (via the `--ip-address` flag introduced in `v5.3.0`), you will also need to pass `--preferred-profile shortlived` for Let's Encrypt's implementation of IP address certificates.","severity":"gotcha","affected_versions":">=5.3.0"},{"fix":"Be aware that any scripts configured as deploy hooks will execute upon initial certificate issuance via `certonly` or `run` commands, in addition to renewals. Adjust hook logic if this behavior is not desired for initial issuance.","message":"Deploy directory hooks are now also run when using `certbot certonly` or `certbot run` to get a new certificate, not just during renewals. This change was introduced in `v5.3.0`.","severity":"gotcha","affected_versions":">=5.3.0"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}