Awesome Open Source
Awesome Open Source

Let's Certbot

中文文档 Chinese document

Let's Certbot is a tool builds automated scripts base on Certbot for obtaining, renewing, deploying SSL certificates.

In order to verify your domains, Let's Certbot uses dns challenge on Certbot. Compared to http challenge, it means you can obtain a wildcard certificate and don't need to touch webserver.

On dns challenge, you need to set a TXT DNS record with specific contents on domain. Let's Certbot will help you do it via domain name registrar DNS API.

Supports domain name registrar at persent:




Let's Certbot as a Certbot tool supports docker and non-docker environments.

Downloading Repository

Clone this repository to get Let's Certbot:

$ git clone [email protected]:jinhucheung/letscertbot.git

Then copy configurations:

$ cd letscertbot
$ cp config.json.example config.json

Installing with Docker

Run Let's Certbot with Docker:

$ sudo docker run --rm --name letscertbot -v "$your_letscertbot_home/config.json:/app/config.json" -v "$your_letscertbot_home/tlds.txt:/app/tlds.txt" -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" jimcheung/letscertbot

You can run Let's Certbot with Compose if Docker Compose is installed:

$ sudo docker-compose run --rm app

Installing without Docker

Let's Certbot requires Python 2.7 or 3.4+ running on a UNIX-like operation system.

First, you need to confirm if python is installed:

$ python --version

If everything is ok, get Certbot on Official Document for your system.

After installing Certbot, run Certbot with root:

$ sudo certbot --version



Before running Let's Certbot, you have the following configuration to change:

Name Required Description Default true Email address for important renewal notifications
dns true dns settings
dns.wait_time false dns challenge wait time (seconds) 20
dns.aliyun false Access Key Id and Access Key Secret of Aliyun account
dns.qcloud false Secret Id and Secret Key of Tencent Cloud account
dns.huaweicloud false Access Key Id and Secret Access Key of Huawei Cloud account false API Key and API Secret of GoDaddy account
dns.cloudflare false API Key or API Token of Cloudflare account
log.enable false Whether to enable log tracker false
log.logfile false The path of log file ./log/application.log
deploy.servers false The deployment servers
deploy.server.enable false Whether to run deployment script for server false false The host of deployment server, set "localhost" for local server, required on deploy.
deploy.server.port false The port of remote server SSH daemon 22
deploy.server.user false The user of remote server uses SSH login, run command root
deploy.server.password false The password of remote user
deploy.server.deploy_to false The stored path of certificate in server /etc/letsencrypt/live
deploy.server.restart_nginx false Whether to restart nginx in server false
deploy.server.after_hook false The command that server runs after successful deployment

In addition, tlds.txt contains some top level domains(TLD) and second level domains(SLD) for separating subdomain and main domain. If the TLD or SLD of your domain is not existed in tlds.txt, you need to append it in list.


Before obtaining certificate, you can run manual script ( to test DNS API with with your access key:

# Running with docker
$ sudo docker-compose run --rm app manual --test --domain --dns aliyun

# Running without docker
$ sudo python ./bin/ --test --domain --dns aliyun

The script will place _acme-challenge TXT record under your domain via specified DNS API.


Run the obtainment script ( with root for obtaining certificate:

# Running with docker
$ sudo docker-compose run --rm app obtain -d *

# Running without docker
$ sudo python ./bin/ -d *

Then you will get a wildcard certificate names in /etc/letsencrypt/live/

You can specify certificate name with --cert argument:

# Running with docker
$ sudo docker-compose run --rm app obtain -d --cert

# Running without docker
$ sudo python ./bin/ -d --cert

If your domain name registrar doesn't support api access, or if you're concerned about security problems from giving the access tokento your main domain, then you can use DNS alias argument:

$ sudo docker-compose run --rm app obtain -d --dns qcloud --challenge-alias

# Running without docker
$ sudo python ./bin/ -d --dns qcloud --challenge-alias

In the above command, Let's Certbot transfers, challenge to, and sets the txt record of via qcloud API. So you need to add CNAME record for challenged domain in advance: => =>


Renew certificates with the renewal script (

# Running with docker
$ sudo docker-compose run --rm app renewal

# Running without docker
$ sudo python ./bin/

Then Certbot will try renew all certificates which will be expired soon.

You can add renewal script as schedule task to crontab:

# Running with docker
0 0 */7 * * sudo docker-compose -f $your_letscertbot_home/docker-compose.yml run --rm app renewal > /var/log/letscertbot-renewal.log 2>&1

# Running without docker
0 0 */7 * * sudo $your_letscertbot_home/bin/ > /var/log/letscertbot-renewal.log 2>&1

The task will run renewal script every 7 days.

If you need to force renew specified certificates, provide --force and --certs arguments:

# Running with docker
$ sudo docker-compose run --rm app renewal --certs --force

# Running without docker
$ sudo python ./bin/ --certs --force


If you set deploy.server.enable to true, Certbot will run the deployment script ( on deploy hook. The script receives renewed certificate and push it to configured servers.

Let's Certbot deploys certificate to remote server via SSH, it means that local server runs Certbot must be able to connect remote server. In order to connect, you need to add the public key of local server to remote server or provide deploy.server.password for sshpass.

In order to add certificate to deploy.server.deploy_to or restart nginx, Let's Certbot requires deploy.server.user has permissions.

You can get deployment script by running the following command:

# Running with docker
$ sudo docker-compose run --rm app deploy --check

# Running without docker
$ sudo python ./bin/ --check

And push certificate to server:

# Running with docker
$ sudo docker-compose run --rm app deploy --push --cert $certificate_name --server $server_host

# Running without docker
$ sudo python ./bin/ --push --cert $certificate_name --server $server_host

Note: If deploy.server enables SELinux in enforcing mode, you need to confirm that nginx has access to the SElinux security context of deploy.server.deploy_to.

Note: If you run Let's Certbot via container and restart nginx in local server, you should set local server as remote.



Bug report or pull request are welcome.

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)

Please write unit test with your code if necessary.


The repository is available as open source under the terms of the MIT License.

Alternatives To Letscertbot
Select To Compare

Alternative Project Comparisons
Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Python (806,773
Docker (97,272
Server (66,263
Certificate (11,234
Dns (10,193
Letsencrypt (1,724
Acme (1,377
Aliyun (1,141
Ssl Certificates (1,075
Certbot (818
Deployment Automation (175
Godaddy (61
Qcloud (54