Certbot is a free, open-source software tool for automatically using digital certificates on Web sites to enable HTTPS. You can use Certbot to request certificates from Certificate Enrollment Gateway using the ACMEv2 protocol.
Preparing to use Certbot
Before using Certbot, configure Certbot to trust your root CA certificate using the REQUESTS_CA_BUNDLE environment variable.
- For example, to set the - REQUESTS_CA_BUNDLEenvironment variable on Windows:- set REQUESTS_CA_BUNDLE=<root-CA-cert-file>- Where - <root-CA-cert-file>is the path and file name of the root CA certificate file. For example:- set REQUESTS_CA_BUNDLE= "C:\root_ca.crt"
- For example, to set the - REQUESTS_CA_BUNDLEenvironment variable on Linux:- sudo REQUESTS_CA_BUNDLE=<root-CA-cert-file>- Where - <root-CA-cert-file>is the path and file name of the root CA certificate file. For example:- sudo REQUESTS_CA_BUNDLE=/tmp/root_ca.crt
Using Certbot to request a certificate
To request a certificate using Certbot, enter the following command:
certbot certonly -d <domain> --<CEG-ACME-URL> --standalone --no-eff-email --agree-tos -m <email-address>Where:
- <domain>is a domain to include in the certificate. You can specify multiple domains using multiple -d <domain> parameters. For example:- -d example.com -d www.example.com
- <CEG-ACME-URL>is the ACMEv2 enrollment URL used to request a certificate from Certificate Enrollment Gateway. For details, see Configuring ACMEv2 clients for enrollment with Certificate Enrollment Gateway.
- --standalonerequests a certificate if you do not want to use (or do not have) existing server software. Certbot will bind on port 80 to perform domain validation. Port 80 must be available and allowed through any configured firewalls. If another application such as a Web server is running and using port 80, disable the application.
- --no-eff-emailforces Certbot to not share your e-mail address with the Electronic Frontier Foundation.
- --agree-toswill cause Certbot to automatically agree to the terms of service of the ACMEv2 server (Certificate Enrollment Gateway).
- <email-address>is the email address that Certbot uses when registering the ACME account with Certificate Enrollment Gateway. Certificate Enrollment Gateway will not send email messages to this email address.
For example:
certbot certonly -d example.com -d www.example.com --server https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directory --standalone --no-eff-email --agree-tos -m notifications@example.com