From 168787c58d3c6bcd8b313b12498de1a420d750f4 Mon Sep 17 00:00:00 2001 From: Peter Conrad Date: Wed, 12 Oct 2016 15:30:21 -0700 Subject: [PATCH 1/4] Fixing a weird out-of-place paragraph in the Getting Certbot section --- docs/using.rst | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index d18d118cf..41e99f716 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -29,7 +29,12 @@ modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin. Getting Certbot =============== +Certbot is packaged for many common operating systems and web servers. Check whether +``certbot`` (or ``letsencrypt``) is packaged for your web server's OS by visiting +certbot.eff.org_, where you will also find the correct installation instructions for +your system. +.. Note:: Unless you have very specific requirements, we kindly suggest that you use the Certbot packages provided by your package manager (see certbot.eff.org_). If such packages are not available, we recommend using ``certbot-auto``, which automates the process of installing Certbot on your system. .. _certbot.eff.org: https://certbot.eff.org .. _certbot-auto: https://certbot.eff.org/docs/using.html#certbot-auto @@ -42,13 +47,6 @@ to, equivalently, as "subcommands") to request specific actions such as obtaining, renewing, or revoking certificates. Some of the most important and most commonly-used commands will be discussed throughout this document; an exhaustive list also appears near the end of the document. -======= -Certbot is packaged for many common operating systems and web servers. Check whether -``certbot`` (or ``letsencrypt``) is packaged for your web server's OS by visiting -certbot.eff.org_, where you will also find the correct installation instructions for -your system. - -.. Note:: Unless you have very specific requirements, we kindly suggest that you use the Certbot packages provided by your package manager (see certbot.eff.org_). If such packages are not available, we recommend using ``certbot-auto``, which automates the process of installing Certbot on your system. The ``certbot`` script on your web server might be named ``letsencrypt`` if your system uses an older package, or ``certbot-auto`` if you used an alternate installation method. Throughout the docs, whenever you see ``certbot``, swap in the correct name as needed. From 5345195e0c443efe850306a34e1cdfd32f1d4279 Mon Sep 17 00:00:00 2001 From: Peter Conrad Date: Fri, 21 Oct 2016 16:24:43 -0700 Subject: [PATCH 2/4] De-duping and clarifying installation information, separating it from Using. --- README.rst | 2 +- docs/install.rst | 209 ++++++++++++++++++++++++++++++++++++++++++---- docs/using.rst | 213 +---------------------------------------------- 3 files changed, 199 insertions(+), 225 deletions(-) diff --git a/README.rst b/README.rst index 244b6b510..f986703ac 100644 --- a/README.rst +++ b/README.rst @@ -32,7 +32,7 @@ Installation The easiest way to install Certbot is by visiting `certbot.eff.org`_, where you can find the correct installation instructions for many web server and OS combinations. -For more information, see the `User Guide `_. +For more information, see `Get Certbot `_. .. _certbot.eff.org: https://certbot.eff.org/ diff --git a/docs/install.rst b/docs/install.rst index e79a3b596..410a617d6 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -1,13 +1,53 @@ ===================== -Quick Installation +Get Certbot ===================== -If ``certbot`` (or ``letsencrypt``) is packaged for your Unix OS (visit -certbot.eff.org_ to find out), you can install it -from there, and run it by typing ``certbot`` (or ``letsencrypt``). Because -not all operating systems have packages yet, we provide a temporary solution -via the ``certbot-auto`` wrapper script, which obtains some dependencies from -your OS and puts others in a python virtual environment:: +.. _installation: + +Certbot is packaged for many common operating systems and web servers. Check whether +``certbot`` (or ``letsencrypt``) is packaged for your web server's OS by visiting +certbot.eff.org_, where you will also find the correct installation instructions for +your system. + +.. Note:: Unless you have very specific requirements, we kindly suggest that you use the Certbot packages provided by your package manager (see certbot.eff.org_). If such packages are not available, we recommend using ``certbot-auto``, which automates the process of installing Certbot on your system. + +.. _certbot.eff.org: https://certbot.eff.org + +.. _certbot-auto: https://certbot.eff.org/docs/install.html#certbot-auto + +System Requirements +=================== + +The Let's Encrypt Client presently only runs on Unix-ish OSes that include +Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future. The +client requires root access in order to write to ``/etc/letsencrypt``, +``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to bind to ports 80 and 443 +(if you use the ``standalone`` plugin) and to read and modify webserver +configurations (if you use the ``apache`` or ``nginx`` plugins). If none of +these apply to you, it is theoretically possible to run without root privileges, +but for most users who want to avoid running an ACME client as root, either +`letsencrypt-nosudo `_ or +`simp_le `_ are more appropriate choices. + +The Apache plugin currently requires OS with augeas version 1.0; currently `it +supports +`_ +modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin. + +Alternate installation methods +================================ + +If you are offline or your operating system doesn't provide a package, you can use +an alternate method for installing ``certbot``. + +.. _certbot-auto: + +Certbot-Auto +------------ + +The ``certbot-auto`` wrapper script installs Certbot, obtaining some dependencies +from your web server OS and putting others in a python virtual environment. You can +download and run it as follows:: user@webserver:~$ wget https://dl.eff.org/certbot-auto user@webserver:~$ chmod a+x ./certbot-auto @@ -20,14 +60,155 @@ your OS and puts others in a python virtual environment:: user@server:~$ gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2 user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto -And for full command line help, you can type:: +The ``certbot-auto`` command updates to the latest client release automatically. +Since ``certbot-auto`` is a wrapper to ``certbot``, it accepts exactly +the same command line flags and arguments. For more information, see +`Certbot command-line options `_. + +For full command line help, you can type:: ./certbot-auto --help all -``certbot-auto`` updates to the latest client release automatically. And -since ``certbot-auto`` is a wrapper to ``certbot``, it accepts exactly -the same command line flags and arguments. More details about this script and -other installation methods can be found `in the User Guide -`_. +Running with Docker +------------------- + +Docker_ is an amazingly simple and quick way to obtain a +certificate. However, this mode of operation is unable to install +certificates or configure your webserver, because our installer +plugins cannot reach your webserver from inside the Docker container. + +Most users should use the operating system packages (see instructions at +certbot.eff.org_) or, as a fallback, ``certbot-auto``. You should only +use Docker if you are sure you know what you are doing and have a +good reason to do so. + +You should definitely read the :ref:`where-certs` section, in order to +know how to manage the certs +manually. `Our ciphersuites page `__ +provides some information about recommended ciphersuites. If none of +these make much sense to you, you should definitely use the +certbot-auto_ method, which enables you to use installer plugins +that cover both of those hard topics. + +If you're still not convinced and have decided to use this method, +from the server that the domain you're requesting a cert for resolves +to, `install Docker`_, then issue the following command: + +.. code-block:: shell + + sudo docker run -it --rm -p 443:443 -p 80:80 --name certbot \ + -v "/etc/letsencrypt:/etc/letsencrypt" \ + -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ + quay.io/letsencrypt/letsencrypt:latest certonly + +Running Certbot with the ``certonly`` command will obtain a certificate and place it in the directory +``/etc/letsencrypt/live`` on your system. Because Certonly cannot install the certificate from +within Docker, you must install the certificate manually according to the procedure +recommended by the provider of your webserver. + +For more information about the layout +of the ``/etc/letsencrypt`` directory, see :ref:`where-certs`. + +.. _Docker: https://docker.com +.. _`install Docker`: https://docs.docker.com/userguide/ + +Operating System Packages +------------------------- + +**FreeBSD** + + * Port: ``cd /usr/ports/security/py-certbot && make install clean`` + * Package: ``pkg install py27-certbot`` + +**OpenBSD** + + * Port: ``cd /usr/ports/security/letsencrypt/client && make install clean`` + * Package: ``pkg_add letsencrypt`` + +**Arch Linux** + +.. code-block:: shell + + sudo pacman -S certbot + +**Debian** + +If you run Debian Stretch or Debian Sid, you can install certbot packages. + +.. code-block:: shell + + sudo apt-get update + sudo apt-get install certbot python-certbot-apache + +If you don't want to use the Apache plugin, you can omit the +``python-certbot-apache`` package. + +Packages exist for Debian Jessie via backports. First you'll have to follow the +instructions at http://backports.debian.org/Instructions/ to enable the Jessie backports +repo, if you have not already done so. Then run: + +.. code-block:: shell + + sudo apt-get install letsencrypt python-letsencrypt-apache -t jessie-backports + +**Fedora** + +.. code-block:: shell + + sudo dnf install letsencrypt + +**Gentoo** + +The official Certbot client is available in Gentoo Portage. If you +want to use the Apache plugin, it has to be installed separately: + +.. code-block:: shell + + emerge -av app-crypt/letsencrypt + emerge -av app-crypt/letsencrypt-apache + +When using the Apache plugin, you will run into a "cannot find a cert or key +directive" error if you're sporting the default Gentoo ``httpd.conf``. +You can fix this by commenting out two lines in ``/etc/apache2/httpd.conf`` +as follows: + +Change + +.. code-block:: shell + + + LoadModule ssl_module modules/mod_ssl.so + + +to + +.. code-block:: shell + + # + LoadModule ssl_module modules/mod_ssl.so + # + +For the time being, this is the only way for the Apache plugin to recognise +the appropriate directives when installing the certificate. +Note: this change is not required for the other plugins. + +**Other Operating Systems** + +OS packaging is an ongoing effort. If you'd like to package +Certbot for your distribution of choice please have a +look at the :doc:`packaging`. + +Installing from source +---------------------- + +Installation from source is only supported for developers and the +whole process is described in the :doc:`contributing`. + +.. warning:: Please do **not** use ``python setup.py install`` or + ``python pip install .``. Please do **not** attempt the + installation commands as superuser/root and/or without virtual + environment, e.g. ``sudo python setup.py install``, ``sudo pip + install``, ``sudo ./venv/bin/...``. These modes of operation might + corrupt your operating system and are **not supported** by the + Certbot team! -.. _certbot.eff.org: https://certbot.eff.org/ diff --git a/docs/using.rst b/docs/using.rst index 57589349b..c7415969f 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -5,42 +5,8 @@ User Guide .. contents:: Table of Contents :local: -.. _installation: - -System Requirements -=================== - -The Let's Encrypt Client presently only runs on Unix-ish OSes that include -Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future. The -client requires root access in order to write to ``/etc/letsencrypt``, -``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to bind to ports 80 and 443 -(if you use the ``standalone`` plugin) and to read and modify webserver -configurations (if you use the ``apache`` or ``nginx`` plugins). If none of -these apply to you, it is theoretically possible to run without root privileges, -but for most users who want to avoid running an ACME client as root, either -`letsencrypt-nosudo `_ or -`simp_le `_ are more appropriate choices. - -The Apache plugin currently requires OS with augeas version 1.0; currently `it -supports -`_ -modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin. - - -Getting Certbot -=============== -Certbot is packaged for many common operating systems and web servers. Check whether -``certbot`` (or ``letsencrypt``) is packaged for your web server's OS by visiting -certbot.eff.org_, where you will also find the correct installation instructions for -your system. - -.. Note:: Unless you have very specific requirements, we kindly suggest that you use the Certbot packages provided by your package manager (see certbot.eff.org_). If such packages are not available, we recommend using ``certbot-auto``, which automates the process of installing Certbot on your system. -.. _certbot.eff.org: https://certbot.eff.org - -.. _certbot-auto: https://certbot.eff.org/docs/using.html#certbot-auto - -Commands -======== +The Certbot Client +================== The Certbot client uses a number of different "commands" (also referred to, equivalently, as "subcommands") to request specific actions such as @@ -50,182 +16,9 @@ document; an exhaustive list also appears near the end of the document. The ``certbot`` script on your web server might be named ``letsencrypt`` if your system uses an older package, or ``certbot-auto`` if you used an alternate installation method. Throughout the docs, whenever you see ``certbot``, swap in the correct name as needed. - -Other installation methods --------------------------- -If you are offline or your operating system doesn't provide a package, you can use -an alternate method for installing ``certbot``. - -Certbot-Auto -^^^^^^^^^^^^ -The ``certbot-auto`` wrapper script installs Certbot, obtaining some dependencies -from your web server OS and putting others in a python virtual environment. You can -download and run it as follows:: - - user@webserver:~$ wget https://dl.eff.org/certbot-auto - user@webserver:~$ chmod a+x ./certbot-auto - user@webserver:~$ ./certbot-auto --help - -.. hint:: The certbot-auto download is protected by HTTPS, which is pretty good, but if you'd like to - double check the integrity of the ``certbot-auto`` script, you can use these steps for verification before running it:: - - user@server:~$ wget -N https://dl.eff.org/certbot-auto.asc - user@server:~$ gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2 - user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto - -The ``certbot-auto`` command updates to the latest client release automatically. -Since ``certbot-auto`` is a wrapper to ``certbot``, it accepts exactly -the same command line flags and arguments. For more information, see -`Certbot command-line options `_. - -Running with Docker -^^^^^^^^^^^^^^^^^^^ - -Docker_ is an amazingly simple and quick way to obtain a -certificate. However, this mode of operation is unable to install -certificates or configure your webserver, because our installer -plugins cannot reach your webserver from inside the Docker container. - -Most users should use the operating system packages (see instructions at -certbot.eff.org_) or, as a fallback, ``certbot-auto``. You should only -use Docker if you are sure you know what you are doing and have a -good reason to do so. - -You should definitely read the :ref:`where-certs` section, in order to -know how to manage the certs -manually. `Our ciphersuites page `__ -provides some information about recommended ciphersuites. If none of -these make much sense to you, you should definitely use the -certbot-auto_ method, which enables you to use installer plugins -that cover both of those hard topics. - -If you're still not convinced and have decided to use this method, -from the server that the domain you're requesting a cert for resolves -to, `install Docker`_, then issue the following command: - -.. code-block:: shell - - sudo docker run -it --rm -p 443:443 -p 80:80 --name certbot \ - -v "/etc/letsencrypt:/etc/letsencrypt" \ - -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ - quay.io/letsencrypt/letsencrypt:latest certonly - -Running Certbot with the ``certonly`` command will obtain a certificate and place it in the directory -``/etc/letsencrypt/live`` on your system. Because Certonly cannot install the certificate from -within Docker, you must install the certificate manually according to the procedure -recommended by the provider of your webserver. - -For more information about the layout -of the ``/etc/letsencrypt`` directory, see :ref:`where-certs`. - -.. _Docker: https://docker.com -.. _`install Docker`: https://docs.docker.com/userguide/ - - -Operating System Packages -^^^^^^^^^^^^^^^^^^^^^^^^^ - -**FreeBSD** - - * Port: ``cd /usr/ports/security/py-certbot && make install clean`` - * Package: ``pkg install py27-certbot`` - -**OpenBSD** - - * Port: ``cd /usr/ports/security/letsencrypt/client && make install clean`` - * Package: ``pkg_add letsencrypt`` - -**Arch Linux** - -.. code-block:: shell - - sudo pacman -S certbot - -**Debian** - -If you run Debian Stretch or Debian Sid, you can install certbot packages. - -.. code-block:: shell - - sudo apt-get update - sudo apt-get install certbot python-certbot-apache - -If you don't want to use the Apache plugin, you can omit the -``python-certbot-apache`` package. - -Packages exist for Debian Jessie via backports. First you'll have to follow the -instructions at http://backports.debian.org/Instructions/ to enable the Jessie backports -repo, if you have not already done so. Then run: - -.. code-block:: shell - - sudo apt-get install letsencrypt python-letsencrypt-apache -t jessie-backports - -**Fedora** - -.. code-block:: shell - - sudo dnf install letsencrypt - -**Gentoo** - -The official Certbot client is available in Gentoo Portage. If you -want to use the Apache plugin, it has to be installed separately: - -.. code-block:: shell - - emerge -av app-crypt/letsencrypt - emerge -av app-crypt/letsencrypt-apache - -When using the Apache plugin, you will run into a "cannot find a cert or key -directive" error if you're sporting the default Gentoo ``httpd.conf``. -You can fix this by commenting out two lines in ``/etc/apache2/httpd.conf`` -as follows: - -Change - -.. code-block:: shell - - - LoadModule ssl_module modules/mod_ssl.so - - -to - -.. code-block:: shell - - # - LoadModule ssl_module modules/mod_ssl.so - # - -For the time being, this is the only way for the Apache plugin to recognise -the appropriate directives when installing the certificate. -Note: this change is not required for the other plugins. - -**Other Operating Systems** - -OS packaging is an ongoing effort. If you'd like to package -Certbot for your distribution of choice please have a -look at the :doc:`packaging`. - - -Installing from source -^^^^^^^^^^^^^^^^^^^^^^ - -Installation from source is only supported for developers and the -whole process is described in the :doc:`contributing`. - -.. warning:: Please do **not** use ``python setup.py install`` or - ``python pip install .``. Please do **not** attempt the - installation commands as superuser/root and/or without virtual - environment, e.g. ``sudo python setup.py install``, ``sudo pip - install``, ``sudo ./venv/bin/...``. These modes of operation might - corrupt your operating system and are **not supported** by the - Certbot team! - .. _plugins: -Getting certificates (and chosing plugins) +Getting certificates (and choosing plugins) ========================================== The Certbot client supports a number of different "plugins" that can be From 8f3f166186264a6a962a16258c15b4b3254f592e Mon Sep 17 00:00:00 2001 From: Peter Conrad Date: Thu, 27 Oct 2016 11:34:35 -0700 Subject: [PATCH 3/4] Responding to feedback at https://github.com/certbot/certbot/pull/3675#pullrequestreview-5757007 --- docs/install.rst | 8 ++++++-- docs/using.rst | 8 ++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/install.rst b/docs/install.rst index 410a617d6..56f6c1189 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -2,7 +2,12 @@ Get Certbot ===================== -.. _installation: +.. contents:: Table of Contents + :local: + + +About Certbot +============= Certbot is packaged for many common operating systems and web servers. Check whether ``certbot`` (or ``letsencrypt``) is packaged for your web server's OS by visiting @@ -13,7 +18,6 @@ your system. .. _certbot.eff.org: https://certbot.eff.org -.. _certbot-auto: https://certbot.eff.org/docs/install.html#certbot-auto System Requirements =================== diff --git a/docs/using.rst b/docs/using.rst index c7415969f..1becea8ea 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -5,10 +5,10 @@ User Guide .. contents:: Table of Contents :local: -The Certbot Client -================== +Certbot Commands +================ -The Certbot client uses a number of different "commands" (also referred +Certbot uses a number of different "commands" (also referred to, equivalently, as "subcommands") to request specific actions such as obtaining, renewing, or revoking certificates. Some of the most important and most commonly-used commands will be discussed throughout this @@ -19,7 +19,7 @@ The ``certbot`` script on your web server might be named ``letsencrypt`` if your .. _plugins: Getting certificates (and choosing plugins) -========================================== +=========================================== The Certbot client supports a number of different "plugins" that can be used to obtain and/or install certificates. From ad65b6317ddc4bb5fd374daabdea6b0ca96cd61f Mon Sep 17 00:00:00 2001 From: Peter Conrad Date: Thu, 12 Jan 2017 17:27:59 -0800 Subject: [PATCH 4/4] Edits to using.rst --- docs/using.rst | 59 ++++++++++++++++++++------------------------------ 1 file changed, 24 insertions(+), 35 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index a5493b145..a1881852e 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -8,10 +8,10 @@ User Guide Certbot Commands ================ -Certbot uses a number of different "commands" (also referred -to, equivalently, as "subcommands") to request specific actions such as -obtaining, renewing, or revoking certificates. Some of the most important -and most commonly-used commands will be discussed throughout this +Certbot uses a number of different commands (also referred +to as "subcommands") to request specific actions such as +obtaining, renewing, or revoking certificates. The most important +and commonly-used commands will be discussed throughout this document; an exhaustive list also appears near the end of the document. The ``certbot`` script on your web server might be named ``letsencrypt`` if your system uses an older package, or ``certbot-auto`` if you used an alternate installation method. Throughout the docs, whenever you see ``certbot``, swap in the correct name as needed. @@ -21,24 +21,24 @@ The ``certbot`` script on your web server might be named ``letsencrypt`` if your Getting certificates (and choosing plugins) =========================================== -The Certbot client supports a number of different "plugins" that can be -used to obtain and/or install certificates. +The Certbot client supports two types of plugins for +obtaining and installing certificates. -Plugins that can obtain a cert are called "authenticators" and can be used with -the "certonly" command. This will carry out the steps needed to validate that you -control the domain(s) you are requesting a cert for, obtain a cert for the specified -domain(s), and place it in the ``/etc/letsencrypt`` directory on your -machine - without editing any of your server's configuration files to serve the -obtained certificate. If you specify multiple domains to authenticate, they will +Authenticators are plugins used with the ``certonly`` command to obtain a cert. +The authenticator validates that you +control the domain(s) you are requesting a cert for, obtains a cert for the specified +domain(s), and places the cert in the ``/etc/letsencrypt`` directory on your +machine. The authenticator does not install the cert (it does not edit any of your server's configuration files to serve the +obtained certificate). If you specify multiple domains to authenticate, they will all be listed in a single certificate. To obtain multiple seperate certificates you will need to run Certbot multiple times. -Plugins that can install a cert are called "installers" and can be used with the -"install" command. These plugins can modify your webserver's configuration to +Installers are Plugins used with the ``install`` command to install a cert. +These plugins can modify your webserver's configuration to serve your website over HTTPS using certificates obtained by certbot. -Plugins that do both can be used with the "certbot run" command, which is the default -when no command is specified. The "run" subcommand can also be used to specify +Plugins that do both can be used with the ``certbot run`` command, which is the default +when no command is specified. The ``run`` subcommand can also be used to specify a combination of distinct authenticator and installer plugins. =========== ==== ==== =============================================================== ============================= @@ -78,7 +78,7 @@ the circumstances in which each plugin can be used, and how to use it. Apache ------ -The Apache plugin currently requires OS with augeas version 1.0; currently `it +The Apache plugin currently requires an OS with augeas version 1.0; currently `it supports `_ modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin. @@ -253,22 +253,6 @@ certificate counts against several rate limits that are intended to prevent abuse of the ACME protocol, as described `here `__. -Certbot also provides a ``renew`` command. This command examines *all* existing -certificates to determine whether or not each is near expiry. For any existing -certificate that is near expiry, ``certbot renew`` will attempt to obtain a -new certificate for the same domains. Unlike ``certonly``, ``renew`` acts on -multiple certificates and always takes into account whether each one is near -expiry. Because of this, ``renew`` is suitable (and designed) for automated use, -to allow your system to automatically renew each certificate when appropriate. -Since ``renew`` will only renew certificates that are near expiry it can be -run as frequently as you want - since it will usually take no action. - -Typically, ``certbot renew`` runs a reduced risk of rate-limit problems -because it renews certificates only when necessary, and because some of -the Let's Encrypt CA's rate limit policies treat the issuance of a new -certificate under these circumstances more generously. More details about -the use of ``certbot renew`` are provided below. - .. _renewal: Renewing certificates @@ -287,7 +271,12 @@ them. The simplest form is simply This will attempt to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the -renewal attempt, unless you specify other plugins or options. +renewal attempt, unless you specify other plugins or options. Unlike ``certonly``, ``renew`` acts on +multiple certificates and always takes into account whether each one is near +expiry. Because of this, ``renew`` is suitable (and designed) for automated use, +to allow your system to automatically renew each certificate when appropriate. +Since ``renew`` will only renew certificates that are near expiry it can be +run as frequently as you want - since it will usually take no action. You can also specify hooks to be run before or after a certificate is renewed. For example, if you have only a single cert and you obtained it using @@ -470,7 +459,7 @@ Example usage for HTTP-01: #!/bin/bash rm -f /var/www/htdocs/.well-known/acme-challenge/$CERTBOT_TOKEN -Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use) +Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use as-is) ::