How To Install Certbot on Rocky Linux 10

SSL certificates have become essential for modern websites, providing encryption and establishing trust with visitors. Let’s Encrypt revolutionized SSL certificate management by offering free, automated certificates that eliminate the cost barrier traditionally associated with website security. Certbot, the official Automated Certificate Management Environment (ACME) client for Let’s Encrypt, simplifies the entire process of obtaining and managing SSL certificates.

Rocky Linux 10 represents the latest iteration of this enterprise-grade Linux distribution, offering enhanced stability, security features, and long-term support that makes it ideal for production environments. Organizations choosing Rocky Linux benefit from its Red Hat Enterprise Linux compatibility while maintaining the freedom of open-source software. This comprehensive guide will walk you through the complete process of installing and configuring Certbot on Rocky Linux 10, ensuring your web applications are secured with valid SSL certificates.

Whether you’re managing a single website or multiple domains, this tutorial provides step-by-step instructions for implementing automated SSL certificate management. By the end of this guide, you’ll have a fully functional Certbot installation with automatic renewal capabilities, protecting your websites and improving their search engine rankings through HTTPS implementation.

Understanding Certbot and Let’s Encrypt

What is Let’s Encrypt?

Let’s Encrypt operates as a free, automated Certificate Authority that has transformed the SSL certificate landscape since its launch. This nonprofit organization issues Domain Validation (DV) certificates at no cost, making website encryption accessible to everyone from individual bloggers to large enterprises. The certificates issued by Let’s Encrypt are trusted by all major browsers and provide the same level of encryption as paid alternatives.

The service uses an automated validation process that verifies domain ownership through HTTP or DNS challenges. Certificates have a 90-day validity period, which initially concerned some users but actually enhances security by encouraging regular rotation and automated renewal processes.

What is Certbot?

Certbot serves as the official ACME client software developed by the Electronic Frontier Foundation specifically for Let’s Encrypt certificate management. This command-line tool automates the entire certificate lifecycle, from initial issuance to renewal and installation. The software features a plugin architecture that integrates seamlessly with popular web servers like Apache and Nginx, automatically modifying their configuration files to implement SSL.

The tool handles complex tasks such as generating Certificate Signing Requests (CSRs), communicating with Let’s Encrypt servers, and managing certificate chains. Certbot’s intelligent automation reduces human error and ensures consistent SSL configuration across multiple domains.

Benefits of Using Certbot on Rocky Linux 10

Rocky Linux 10 provides an ideal foundation for Certbot deployment due to its enterprise-grade stability and security features. The distribution’s compatibility with Red Hat Enterprise Linux ensures access to well-tested packages through the EPEL repository. The operating system’s robust systemd integration enables reliable automatic renewal through systemd timers, providing better resource management than traditional cron jobs.

Rocky Linux 10’s enhanced security features complement Certbot’s automation capabilities, creating a secure environment for certificate management. The distribution’s long-term support model aligns perfectly with enterprise requirements for stable, predictable SSL certificate management over extended periods.

Prerequisites and System Requirements

System Requirements

Successfully running Certbot on Rocky Linux 10 requires adequate system resources to handle certificate operations and web server functionality. A minimum of 1GB RAM ensures smooth operation during certificate generation and renewal processes, while 10GB of available disk space accommodates the operating system, web server software, and certificate storage.

Network connectivity is crucial for ACME protocol communication with Let’s Encrypt servers. The system requires unrestricted access to ports 80 (HTTP) and 443 (HTTPS) for domain validation and certificate deployment. Root or sudo privileges are essential for modifying system configurations and installing packages.

Domain and DNS Requirements

Proper domain configuration forms the foundation of successful SSL certificate deployment. Your domain must have valid A records pointing to your server’s public IP address, ensuring Let’s Encrypt can reach your server during validation challenges. Both the primary domain and www subdomain should be properly configured if you plan to secure both variants.

DNS propagation must be complete before attempting certificate issuance. You can verify proper DNS configuration using tools like dig or nslookup to confirm your domain resolves to the correct IP address. Wildcard certificates require DNS-based validation, necessitating additional DNS configuration capabilities.

Required Software Dependencies

A functioning web server installation is prerequisite for most Certbot operations. Apache HTTP Server or Nginx must be installed, configured, and running before certificate deployment. The web server should be properly configured with virtual hosts or server blocks for the domains you intend to secure.

Firewall configuration requires attention to ensure proper certificate validation. Firewalld or iptables must allow incoming connections on ports 80 and 443. The EPEL repository provides access to Certbot packages and should be enabled before installation attempts.

Preparing Rocky Linux 10 for Certbot Installation

Updating the System

Maintaining current system packages ensures compatibility and security before installing new software. Begin by updating all installed packages to their latest versions using the DNF package manager. This process downloads and installs security patches, bug fixes, and feature updates that may affect Certbot functionality.

sudo dnf update -y

The update process may require a system reboot if kernel updates are included. Check for reboot requirements by examining the update output or using the needs-restarting utility. System reboots ensure all kernel-level security updates take effect and provide a clean environment for Certbot installation.

Installing EPEL Repository

The Extra Packages for Enterprise Linux (EPEL) repository provides access to Certbot packages that aren’t available in Rocky Linux’s base repositories. EPEL maintains high-quality packages that extend the functionality of enterprise Linux distributions while maintaining stability and security standards.

sudo dnf install epel-release -y

Verify successful EPEL installation by listing available repositories and confirming the EPEL repository appears in the output. The repository configuration files are stored in /etc/yum.repos.d/ and can be examined to ensure proper configuration. EPEL provides not only Certbot but also numerous Python dependencies and web server plugins required for full functionality.

Configuring Firewall Rules

Proper firewall configuration ensures Let’s Encrypt servers can reach your system during domain validation while maintaining security. Rocky Linux 10 uses firewalld as the default firewall management tool, providing zone-based security policies that simplify rule management.

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Verify firewall rules using firewall-cmd --list-all to confirm HTTP and HTTPS services are permitted. Consider creating specific zones for web server traffic if your security policy requires more granular control. Document your firewall configuration changes for future reference and troubleshooting purposes.

Installing Certbot on Rocky Linux 10

Installing Certbot Core Package

The Certbot core package provides the fundamental functionality for certificate management and ACME protocol communication. Installation through DNF automatically resolves dependencies and ensures compatibility with Rocky Linux 10’s package ecosystem.

sudo dnf install certbot -y

The installation process downloads approximately 15-20MB of packages, including Python libraries, cryptographic modules, and configuration templates. Verify successful installation by checking the Certbot version and available command-line options. The installation creates necessary directories in /etc/letsencrypt/ for configuration and certificate storage.

Certbot’s core functionality includes certificate request generation, domain validation handling, and renewal management. The base package supports standalone and webroot validation methods, making it suitable for various deployment scenarios even without web server plugins.

Installing Web Server Plugins

For Apache Users

The Apache plugin enables seamless integration between Certbot and Apache HTTP Server, automatically modifying virtual host configurations and installing certificates. This plugin eliminates manual configuration steps and reduces the potential for configuration errors.

sudo dnf install python3-certbot-apache -y

The Apache plugin requires mod_ssl to be installed and enabled for SSL functionality. Verify Apache module availability using httpd -M | grep ssl and enable mod_ssl if necessary. The plugin can automatically configure virtual hosts, set up SSL parameters, and implement HTTP to HTTPS redirects.

For Nginx Users

The Nginx plugin provides similar automation capabilities for Nginx web server environments. This plugin parses Nginx configuration files, modifies server blocks, and implements SSL settings according to current best practices.

sudo dnf install python3-certbot-nginx -y

Ensure Nginx is properly configured with server blocks for your domains before using the plugin. The plugin validates Nginx configuration syntax before making changes, preventing configuration errors that could disrupt service. Test your Nginx configuration using nginx -t before and after plugin usage.

Alternative Installation Methods

Snap Package Installation

Snap packages provide an alternative installation method that ensures access to the latest Certbot versions regardless of distribution package availability. The snap package includes all dependencies and updates independently of the system package manager.

sudo dnf install snapd -y
sudo systemctl enable --now snapd.socket
sudo snap install --classic certbot

Create symbolic links to make Certbot accessible from standard PATH locations after snap installation. Snap packages may have different file system access restrictions that could affect plugin functionality or certificate storage locations.

Docker Container Deployment

Container deployment offers isolation and consistency across different environments while simplifying dependency management. Docker containers can be particularly useful for development environments or systems with complex package conflicts.

docker run -it --rm --name certbot \
  -v "/etc/letsencrypt:/etc/letsencrypt" \
  -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
  certbot/certbot

Container deployment requires careful volume mapping to ensure certificate persistence and accessibility by the host web server. Consider using Docker Compose for complex deployments involving multiple containers or automated renewal processes.

Configuring Web Server for SSL Certificate

Apache Configuration

Virtual Host Setup

Proper Apache virtual host configuration forms the foundation for successful SSL certificate deployment. Virtual hosts define how Apache handles requests for specific domains and must be correctly configured before certificate installation.

Create or modify virtual host files in /etc/httpd/conf.d/ directory, ensuring each domain has a dedicated configuration file. The virtual host must include proper ServerName and ServerAlias directives that match the domains specified in your certificate request.

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html/example.com
    ErrorLog /var/log/httpd/example.com_error.log
    CustomLog /var/log/httpd/example.com_access.log combined
</VirtualHost>

Ensure the DocumentRoot directory exists and contains appropriate content for domain validation. Let’s Encrypt places validation files in the .well-known/acme-challenge/ subdirectory during the validation process.

Apache Configuration Testing

Validate Apache configuration syntax before attempting certificate installation to prevent service disruptions. Apache provides built-in tools for configuration validation that identify syntax errors and missing dependencies.

sudo httpd -t
sudo systemctl reload httpd

Monitor Apache error logs during the validation process to identify potential issues with virtual host configuration or file permissions. Proper log monitoring helps troubleshoot certificate installation problems and ensures successful domain validation.

Nginx Configuration

Server Block Configuration

Nginx server blocks function similarly to Apache virtual hosts but use different syntax and configuration structures. Proper server block configuration ensures Nginx can serve content for domain validation and certificate installation.

Create server block files in /etc/nginx/conf.d/ directory with .conf extension for automatic inclusion in the main configuration. Each server block should specify the appropriate server_name directive matching your certificate domains.

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/html/example.com;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Verify that the document root directory exists and is accessible by the Nginx worker process. Proper file permissions and SELinux contexts are essential for successful domain validation on Rocky Linux systems.

Nginx Configuration Validation

Nginx provides configuration testing capabilities that validate syntax and identify potential conflicts before implementing changes. Regular configuration testing prevents service disruptions and ensures reliable certificate deployment.

sudo nginx -t
sudo systemctl reload nginx

The configuration test checks for syntax errors, missing files, and conflicting directives. Address any configuration issues before proceeding with certificate installation to ensure smooth operation and avoid validation failures.

Obtaining SSL Certificates with Certbot

Basic Certificate Request Process

The certificate request process begins with Certbot communicating with Let’s Encrypt servers to initiate domain validation. During the initial run, Certbot prompts for an email address used for account registration and important notifications about certificate expiration or security issues.

sudo certbot --nginx -d example.com -d www.example.com

Certbot creates an ACME account associated with your email address and agrees to Let’s Encrypt’s Terms of Service on your behalf. The software generates a private key and Certificate Signing Request (CSR) containing your domain information and public key.

Domain validation occurs through HTTP-01 challenges where Let’s Encrypt servers attempt to retrieve specific files from your web server. Successful validation proves domain ownership and authorizes certificate issuance. The entire process typically completes within 2-3 minutes for properly configured domains.

Apache Integration Method

The Apache plugin automates virtual host modification and SSL configuration implementation. This integration method eliminates manual configuration steps and ensures consistent SSL settings across multiple domains.

sudo certbot --apache -d example.com -d www.example.com

During the process, Certbot analyzes existing Apache virtual hosts and creates corresponding SSL virtual hosts listening on port 443. The plugin automatically configures SSL parameters including certificate paths, cipher suites, and security headers according to current best practices.

The integration method includes automatic HTTP to HTTPS redirect configuration, ensuring visitors always use encrypted connections. Certbot modifies existing virtual hosts to redirect HTTP requests to their HTTPS equivalents, improving security and search engine optimization.

Nginx Integration Method

Nginx integration provides similar automation capabilities while respecting Nginx’s unique configuration structure. The plugin parses existing server blocks and creates SSL-enabled configurations with minimal manual intervention.

sudo certbot --nginx -d example.com -d www.example.com

The Nginx plugin validates configuration syntax before making changes, preventing errors that could disrupt web service. It automatically configures SSL parameters, implements security headers, and enables HTTP/2 support when available.

Certificate installation includes automatic server block duplication for HTTPS traffic on port 443. The plugin configures appropriate SSL directives and implements redirect rules to ensure secure communication for all website visitors.

Manual Certificate Generation Methods

Standalone Method

Standalone mode operates independently of existing web servers by creating a temporary web server for domain validation. This method proves useful for servers without permanently running web services or during initial setup phases.

sudo certbot certonly --standalone -d example.com

The standalone method requires stopping existing web servers during validation to avoid port conflicts. Certbot creates a temporary HTTP server on port 80 specifically for Let’s Encrypt validation challenges. This approach works well for automated deployments where web server downtime is acceptable.

Webroot Method

Webroot mode leverages existing web server infrastructure for domain validation without requiring service interruption. This method places validation files in designated directories served by your web server.

sudo certbot certonly --webroot -w /var/www/html -d example.com

Specify the webroot path using the -w flag, ensuring the directory is accessible via HTTP requests to your domain. The web server must be configured to serve files from the .well-known/acme-challenge/ subdirectory for successful validation.

Certificate Management and Renewal

Understanding Certificate Lifecycle

Let’s Encrypt certificates have a 90-day validity period designed to encourage automation and regular security updates. This shorter lifespan compared to traditional certificates initially concerned some users but actually enhances security by forcing regular key rotation and reducing the impact of potential private key compromises.

Certificate renewal should occur approximately 30 days before expiration to provide adequate time for troubleshooting potential issues. Certbot automatically calculates renewal timing and includes safety margins to prevent unexpected certificate expiration.

The certificate lifecycle includes initial issuance, periodic renewal, and eventual replacement as security standards evolve. Understanding this lifecycle helps plan maintenance windows and ensures continuous service availability for websites and applications.

Automatic Renewal Setup

Systemd timers provide the recommended method for automatic certificate renewal on Rocky Linux 10. These timers offer better resource management and logging capabilities compared to traditional cron jobs while integrating seamlessly with the systemd ecosystem.

sudo systemctl enable --now certbot-renew.timer
sudo systemctl status certbot-renew.timer

The systemd timer runs twice daily with random delays to distribute renewal load across Let’s Encrypt’s infrastructure. Successful renewals restart associated web servers automatically to implement new certificates without manual intervention.

Test the renewal process using Certbot’s dry-run functionality to verify configuration and identify potential issues before automatic renewal attempts. Regular testing ensures reliable operation and helps maintain certificate availability.

sudo certbot renew --dry-run

Manual Renewal and Management

Manual renewal provides control over certificate updates during planned maintenance windows or when investigating renewal issues. The process uses the same validation methods as initial certificate issuance but preserves existing configuration settings.

sudo certbot renew
sudo certbot certificates

Certificate management includes monitoring expiration dates, expanding certificates to include additional domains, and revoking compromised certificates when necessary. Certbot provides comprehensive tools for all aspects of certificate lifecycle management.

Regular certificate status checks help identify potential issues before they affect service availability. Monitor certificate validity periods and plan renewal activities as part of routine system maintenance procedures.

Troubleshooting Common Issues

Installation Problems

EPEL repository access issues commonly affect Certbot installation on enterprise Linux distributions. Verify repository configuration and network connectivity when encountering package download failures or dependency resolution errors.

sudo dnf repolist enabled
sudo dnf clean all
sudo dnf makecache

Package dependency conflicts may arise when mixing repositories or using third-party packages. Resolve conflicts by identifying conflicting packages and removing or updating them before attempting Certbot installation.

Permission-related installation problems often result from incorrect user privileges or SELinux policy violations. Ensure administrative access and review SELinux audit logs when encountering permission-denied errors during installation.

Certificate Issuance Failures

Domain validation failures represent the most common certificate issuance problems, typically resulting from DNS configuration errors or firewall restrictions. Verify domain resolution and network accessibility before investigating more complex issues.

Let’s Encrypt implements rate limiting to prevent abuse and ensure service availability for all users. Understand rate limits for failed validations, successful certificates, and duplicate certificates to avoid temporary blocking during troubleshooting.

dig example.com
curl -I http://example.com/.well-known/acme-challenge/test

Web server configuration conflicts can prevent successful domain validation when virtual hosts or server blocks are incorrectly configured. Review web server logs and test configuration syntax when encountering validation timeouts or HTTP errors.

Renewal and Maintenance Issues

Failed automatic renewals often result from configuration changes or system updates that affect web server operation. Monitor renewal logs and implement notification systems to alert administrators about renewal failures requiring manual intervention.

Certificate expiration handling requires contingency planning for scenarios where automatic renewal fails repeatedly. Implement monitoring systems that track certificate validity periods and generate alerts well before expiration dates.

Service restart failures during renewal can cause brief service interruptions or prevent new certificates from taking effect. Test renewal processes in development environments and implement graceful restart procedures to minimize service impact.

Security Best Practices and Optimization

SSL/TLS Configuration Hardening

Modern cipher suite configuration ensures optimal security and performance for SSL/TLS connections. Disable weak ciphers and protocols while maintaining compatibility with current browsers and security standards.

Configure Perfect Forward Secrecy (PFS) to ensure that private key compromise doesn’t affect previously encrypted communications. Implement ECDHE cipher suites and regularly rotate certificates to maintain forward secrecy benefits.

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on

HTTP Strict Transport Security (HSTS) headers prevent protocol downgrade attacks and ensure browsers always use HTTPS connections. Implement HSTS with appropriate max-age values and consider including subdomains in the policy.

Performance Optimization

OCSP stapling reduces client-side certificate validation overhead by having servers fetch OCSP responses and include them in SSL handshakes. This optimization improves connection establishment times while maintaining certificate validity verification.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

HTTP/2 protocol support with SSL provides significant performance improvements for modern web applications. Enable HTTP/2 in your web server configuration to take advantage of multiplexing and server push capabilities.

Certificate chain optimization ensures efficient certificate validation by providing complete certificate chains without unnecessary intermediate certificates. Monitor certificate chain composition and remove redundant certificates to minimize handshake overhead.

Implement regular security assessments using tools like SSL Labs’ SSL Test to evaluate certificate configuration and identify optimization opportunities. Continuous monitoring ensures ongoing security and performance optimization as standards evolve.

Congratulations! You have successfully installed Certbot. Thanks for using this tutorial for installing Certbot Let’s Encrypt on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Certbot website.