Installing Certbot for Apache and NGINX

Install and configure Certbot for SeFlowSSL CaaS (Sectigo ACME)

SeFlowSSL CaaS (Sectigo ACME) uses the ACME protocol to automate SSL/TLS certificate issuance, validation, installation, and renewal.

This guide explains how to install Certbot for Apache and NGINX on the most common Linux distributions and how to configure it to use the SeFlowSSL CaaS ACME infrastructure.

Debian and Ubuntu distributions

On Debian and Ubuntu, Certbot can be installed using the APT package manager or Snap.

Method 1. Installation using APT

Update package repositories:

sudo apt update

Install Certbot and the required plugin for your web server.

Apache:

sudo apt install certbot python3-certbot-apache

NGINX:

sudo apt install certbot python3-certbot-nginx

Method 2. Installation using Snap

Install Snap and refresh the core:

sudo apt install snapd
sudo snap refresh

Install Certbot:

sudo snap install --classic certbot

Create the symbolic link:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Red Hat, AlmaLinux, Rocky Linux and CentOS distributions

On Red Hat based systems, Certbot can be installed using DNF, YUM, or Snap.

Method 1. Installation using DNF or YUM

Enable the EPEL repository:

sudo dnf install epel-release
sudo yum install epel-release

Update the system:

sudo dnf clean all
sudo dnf update

sudo yum clean all
sudo yum update

Install Certbot and the required plugin for your web server.

Apache:

sudo dnf install certbot python3-certbot-apache
sudo yum install certbot python3-certbot-apache

NGINX:

sudo dnf install certbot python3-certbot-nginx
sudo yum install certbot python3-certbot-nginx

Method 2. Installation using Snap

Install Snap and refresh the core:

sudo snap install core
sudo snap refresh core

Install Certbot:

sudo snap install --classic certbot

Create the symbolic link:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Certbot configuration

After installation, Certbot must be configured to use the SeFlowSSL CaaS ACME endpoint instead of the default Let's Encrypt endpoint.

The configuration requires three values provided with the service:

• ACME server URL
• EAB KID
• EAB HMAC Key

Automatic certificate installation

Automatic mode allows Certbot to request, validate, and install the certificate directly on the configured web server.

Command structure:

sudo certbot --nginx --non-interactive --agree-tos --email admin@example.com --server https://acme.seflowssl.example/directory --eab-kid YOUR_EAB_KID --eab-hmac-key YOUR_EAB_HMAC_KEY --domain example.com

For Apache:

sudo certbot --apache --non-interactive --agree-tos --email admin@example.com --server https://acme.seflowssl.example/directory --eab-kid YOUR_EAB_KID --eab-hmac-key YOUR_EAB_HMAC_KEY --domain example.com

Main parameters explained

• --nginx uses the Certbot plugin for NGINX.
• --apache uses the Certbot plugin for Apache.
• --non-interactive runs the command without manual prompts.
• --agree-tos accepts the terms of service.
• --email sets the email address associated with the ACME account.
• --server defines the SeFlowSSL CaaS ACME endpoint.
• --eab-kid identifies the account through External Account Binding.
• --eab-hmac-key contains the EAB authentication key.
• --domain defines the domain for certificate issuance.

Complete NGINX example

sudo certbot --nginx --non-interactive --agree-tos --email admin@example.com --server https://acme.seflowssl.example/directory --eab-kid YOUR_EAB_KID --eab-hmac-key YOUR_EAB_HMAC_KEY --domain example.com

Complete Apache example

sudo certbot --apache --non-interactive --agree-tos --email admin@example.com --server https://acme.seflowssl.example/directory --eab-kid YOUR_EAB_KID --eab-hmac-key YOUR_EAB_HMAC_KEY --domain example.com

Automatic renewal

Certbot usually configures automatic renewal through a systemd timer or cron. You can test renewal with this command:

sudo certbot renew --dry-run

If the test completes without errors, the server is ready to renew certificates issued through SeFlowSSL CaaS automatically.