Certbot

Certbot is the official and most widely used ACME client for obtaining and renewing SSL/TLS certificates from Let's Encrypt (and other ACME-compatible certificate authorities). It automates the entire certificate lifecycle: domain validation, certificate issuance, web server configuration, and periodic renewal.

Certbot supports multiple domain validation methods. HTTP-01 challenge places a temporary file on the web server that Let's Encrypt verifies via HTTP request. DNS-01 challenge creates a temporary DNS TXT record, which is required for wildcard certificates (*.example.com). Certbot includes plugins for popular DNS providers (Cloudflare, Route53, DigitalOcean, etc.) that automate the DNS record creation.

Web server integration plugins automatically configure Apache or Nginx to use the obtained certificates. The --apache and --nginx flags handle everything: obtaining the certificate, modifying the virtual host configuration, and setting up HTTP-to-HTTPS redirects. For servers without these plugins, the certonly mode obtains certificates without modifying web server configuration.

Automatic renewal runs via a systemd timer or cron job (configured during installation). Certbot checks all managed certificates twice daily and renews any that will expire within 30 days. Pre and post-renewal hooks allow running custom commands (like restarting services) after certificate renewal.

For hosting providers running servers without a control panel (or using panels that lack Let's Encrypt integration), Certbot is the standard tool for SSL automation. It is also commonly used on load balancers, reverse proxies, mail servers, and other infrastructure that needs SSL certificates but does not have panel-integrated certificate management.

Certbot is written in Python and available through package managers on all major Linux distributions. The snap package is the recommended installation method as it includes automatic updates and isolation from system Python.