Skip to main content

Certbot: Issue and install certificate for Apache

Command syntax

At the command-line prompt, use the below command syntax to issue and install a certificate for the Apache web server:

sudo certbot --apache --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN}

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The external account binding key identifier (KID) from your ACME credentials in CertCentral.Use um cliente ACME de terceiros para automações de host

{MY-HMAC-KEY}

The external account binding HMAC key from your ACME credentials.

{ACME-URL}

The ACME URL associated with your ACME credentials in CertCentral.

{MY-CONFIG-DIR}

The local directory path that stores your Certbot configuration files for the current application. The configuration files here control how and where Certbot installs the certificates it downloads. If you omit the --config-dir option, Certbot will check in the /etc/letsencrypt directory by default.

{FQDN}

The fully qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option. The first one you specify is used as the common name (CN).

Example command:

sudo certbot --apache --register-unsafely-without-email --eab-kid zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_webserver_config/ -d my.host -d alias.my.host

Usage notes

  • If the requested certificate matches an existing order, CertCentral applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, CertCentral treats it as a new order and enrolls the new certificate for you.

  • This command only works for OV/EV certificates for which the domain has been prevalidated in CertCentral. To issue DV certificates, or to issue OV/EV certificates when the domain is not prevalidated, you must use additional options to validate the domain dynamically through Certbot. For examples, see here (DNS-01 validation method) and here (HTTP-01 validation method).

Nesta secção: