Certbot basic usage
Certbot installation can be done through package management, by downloading their git repository or installing it through PIP.
Register an account
This is done interactively if you request a certificate from a CA without being registered.
root@acme:~# certbot register -m 'YOUR_EMAIL' --agree-tos --server 'https://api.buypass.com/acme/directory/'
Obtain a certificate using a webroot and HTTP-01 challenge
This requires an active root directory for the domain you are requesting the certificate for.
root@acme:~# certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.buypass.com -d www.example.buypass.com --server 'https://api.buypass.com/acme/directory'
Obtain a certificate using Apache / Nginx / Standalone and HTTP-01 challenge
This method hooks into the currently running Apache / Nginx installation and manages the process on your behalf. Standalone requires the ports 80 and 443 to be available and is used if you don't have a webserver running.
root@acme:~# certbot certonly --nginx -d example.buypass.com -d www.example.buypass.com --server 'https://api.buypass.com/acme/directory/'
Obtain a certificate using DNS-01 challenge
There are mutiple methods of obtaining a certificate via DNS-01 challenges. The following method utilises the DNS-01 challenge, but requires manual DNS configuration. The DNS record which has to be created is, in this example, a TXT record for "_acme-challenge.example.buypass.com", with value set to the challenge value you received.
root@acme:~# certbot certonly --manual --preferred-challenges dns -d example.buypass.com --server "https://api.buypass.com/acme/directory"
Automating the DNS challenge are pre-made for certain DNS providers, because Certbot provides a set of plugins which automates the creation / update of the challenge records. https://certbot.eff.org/docs/using.html?highlight=dns#dns-plugins
The following example utilises the DigitalOcean plugin, which is documented at https://certbot-dns-digitalocean.readthedocs.io/en/stable/.
root@acme:~# certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini -d example.buypass.com --server "https://api.buypass.com/acme/directory"
The currently active certificate should be located at /etc/letsencrypt/live/[FQDN]/ when either nginx, DNS-challenge or standalone is used. If a webroot was specified, that is where the certificate will be stored, eg. /var/www/[FQDN]/.