"Certbot Standalone: Get Let's Encrypt SSL on Ubuntu"

Introduction

Let’s Encrypt is simply a free, automated certificate authority operated by the nonprofit Internet Security Research Group (ISRG). Certbot standalone mode runs a impermanent built-in web server connected larboard 80 to complete the ACME HTTP-01 situation issued by the Let’s Encrypt API. Use standalone mode erstwhile nary web server is moving connected your machine, aliases erstwhile securing a non-HTTP work specified arsenic a message server, an MQTT broker, aliases a civilization TCP application. If a web server specified arsenic Nginx aliases Apache is already running, usage the webroot plugin aliases the Nginx/Apache plugin instead, which complete the situation without stopping a unrecorded service.

In this tutorial, you will usage EFF’s Certbot to get a valid 90-day certificate issued by Let’s Encrypt, stored astatine /etc/letsencrypt/live/your_domain/. You will besides configure automated renewal utilizing Certbot’s systemd timer and pre/post hook scripts that extremity and restart immoderate work occupying larboard 80 during each renewal attempt.

Key Takeaways

• Certbot standalone mode runs a impermanent built-in web server to reply the Let’s Encrypt ACME challenge. It requires TCP larboard 80 to beryllium free for the default HTTP-01 challenge.
• Use standalone mode erstwhile nary web server is running, aliases erstwhile securing a non-HTTP work specified arsenic a message server, connection broker, aliases civilization TCP application. Use webroot aliases the Nginx/Apache plugin erstwhile a web server is already serving traffic.
• On Ubuntu 20.04 and later, instal Certbot via snap. The EFF nary longer actively maintains the apt-based package for existent Ubuntu releases.
• Let’s Encrypt certificates are valid for 90 days. The snap-installed Certbot ships a systemd timer that attempts renewal doubly regular and renews erstwhile a certificate is wrong 30 days of expiry.
• In standalone mode, larboard 80 must beryllium free astatine renewal time. Use pre-hook and post-hook scripts to extremity and restart immoderate work that holds the larboard earlier and aft each renewal attempt.
• Certificate files are stored astatine /etc/letsencrypt/live/your_domain/. Most services request 2 files: fullchain.pem (the certificate chain) and privkey.pem (the backstage key).

Prerequisites

Before starting this tutorial, you will need:

• An Ubuntu 20.04 server pinch a non-root, sudo-enabled personification and basal firewall group up, arsenic elaborate successful How To Do Initial Server Setup pinch Ubuntu 20.04.
• A domain sanction pointed astatine your server. If you are utilizing a DigitalOcean Droplet, you tin execute this by pursuing our Domains and DNS documentation. This tutorial will usage your_domain throughout.
• Port 80 must beryllium disposable connected your server during certificate issuance and each consequent renewal. If a web server presently occupies larboard 80, you must extremity it earlier moving Certbot successful standalone mode and restart it afterward. If the work you want to unafraid occupies some ports 80 and 443 and you cannot extremity it temporarily, usage Certbot’s webroot mode instead. For UFW firewall setup, spot How To Set Up a Firewall pinch UFW connected Ubuntu.

Step 1 — Installing Certbot

Start by refreshing the snapd core. Ubuntu 20.04 includes snapd by default:

1. sudo threat install core; sudo threat refresh core

If you’re moving connected a server that antecedently had an older type of certbot installed, you should region it earlier going immoderate further:

1. sudo apt region certbot

After that, you tin instal the certbot package:

1. sudo threat install --classic certbot

Finally, you tin nexus the certbot bid from the threat instal directory to your path, truthful you’ll beryllium capable to tally it by conscionable typing certbot. This isn’t basal pinch each packages, but snaps thin to beryllium little intrusive by default, truthful they don’t conflict pinch immoderate different strategy packages by accident:

1. sudo ln -s /snap/bin/certbot /usr/bin/certbot

Verify the installation by checking the Certbot version:

1. certbot --version

Output

certbot 2.11.0

The type shown reflects the existent threat transmission astatine the clip of installation and will alteration arsenic Certbot releases updates.

Step 2 — Configuring the Firewall

Certbot standalone mode answers the ACME HTTP-01 challenge, which requires TCP larboard 80 to beryllium reachable from the internet. Open larboard 80 successful your firewall:

1. sudo ufw let 80

Output

Rule added Rule added (v6)

Then unfastened larboard 443 to service HTTPS postulation aft the certificate is issued:

1. sudo ufw let 443

Output

Rule added Rule added (v6)

Standalone mode uses the HTTP-01 situation connected larboard 80 by default; if you alternatively usage --preferred-challenges tls-alpn-01, unfastened larboard 443 instead. If larboard 80 is only needed during certificate issuance and your exertion does not service HTTP, adjacent it afterward pinch sudo ufw delete let 80.

Step 3 — Obtaining a Certificate pinch Standalone Mode

Note: Before issuing against the unrecorded Let’s Encrypt API, tally with --dry-run to verify your configuration. If you request to repetition the full issuance travel during testing, adhd --staging (or --test-cert) to avoid hitting complaint limits. Staging certificates are not browser-trusted but the issuance process is identical. For existent complaint limit values, spot the Let’s Encrypt complaint limits documentation.

Warning: Standalone mode binds to larboard 80. If Nginx, Apache, aliases immoderate different work is presently listening connected larboard 80, extremity it earlier moving the bid below, past restart it aft the certificate is issued. Certbot will neglect pinch a binding correction if the larboard is already successful use.

Use the --standalone action to show Certbot to grip the situation utilizing its ain built-in web server. The -d emblem specifies the domain you’re requesting a certificate for. You tin adhd aggregate -d options to screen aggregate domains successful 1 certificate.

1. sudo certbot certonly --standalone -d your_domain

When moving the command, you will beryllium prompted to participate an email reside and work together to the position of service. After doing so, you should spot a connection telling you the process was successful and wherever your certificates are stored:

Output

IMPORTANT NOTES: Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem This certificate expires connected 2026-09-06. These files will beryllium updated erstwhile the certificate renews. Certbot has group up a scheduled task to automatically renew this certificate successful the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you for illustration Certbot, please see supporting our activity by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le

Automating Certificate Issuance

For automated aliases scripted environments wherever interactive prompts are not available, walk the registration options inline:

1. sudo certbot certonly --standalone \
2. --non-interactive \
3. --agree-tos \
4. --no-eff-email \
5. -m [email protected] \
6. -d your_domain

--agree-tos accepts the Let’s Encrypt subscriber agreement, --no-eff-email suppresses the EFF newsletter signup prompt, and -m sets the reside Let’s Encrypt uses for expiry warnings and renewal nonaccomplishment alerts. Use a existent address: renewal nonaccomplishment notifications are the only early informing if the systemd timer stops working.

You should now person your certificates. Use ls to database the directory that holds your keys and certificates:

1. sudo ls /etc/letsencrypt/live/your_domain

Output

cert.pem chain.pem fullchain.pem privkey.pem README

Verify the certificate specifications pinch openssl:

1. sudo openssl x509 -in /etc/letsencrypt/live/your_domain/cert.pem -noout -subject -issuer -dates -ext subjectAltName

Output

subject=CN = your_domain issuer=C = US, O = Let's Encrypt, CN = E5 notBefore=Mon Jun 8 00:00:00 2026 GMT notAfter=Sun Sep 6 00:00:00 2026 GMT X509v3 Subject Alternative Name: DNS:your_domain

notAfter confirms the 90-day validity window. issuer confirms that Let’s Encrypt signed the certificate. If you issued for aggregate domains utilizing repeated -d flags, each domains look present arsenic abstracted DNS: entries. A domain missing from this database is not covered by the certificate.

To database each certificates presently managed by Certbot, including their domains and expiry dates, run:

1. sudo certbot certificates

Output

Found the pursuing certs: Certificate Name: your_domain Serial Number: ... Key Type: ECDSA Domains: your_domain Expiry Date: 2026-09-06 00:00:00+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/your_domain/fullchain.pem Private Key Path: /etc/letsencrypt/live/your_domain/privkey.pem

This is the superior bid to cheque certificate position connected immoderate server managed by Certbot.

Configuring a Service to Use the Certificate

Most services require 2 files from this directory: fullchain.pem arsenic the certificate and privkey.pem arsenic the backstage key. The pursuing illustration shows the applicable TLS directives for Postfix successful /etc/postfix/main.cf:

/etc/postfix/main.cf

smtpd_tls_cert_file = /etc/letsencrypt/live/your_domain/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/your_domain/privkey.pem smtpd_tls_security_level = may

Note: The /etc/letsencrypt/live/ directory is readable only by root. Services that tally arsenic a non-root personification (such arsenic the postfix user) require a deploy hook that copies the certificate files to a world-readable location, aliases definitive support grants connected the cert directory. For a complete Postfix setup, spot How To Install and Configure Postfix connected Ubuntu 20.04.

For an MQTT agent specified arsenic Mosquitto, adhd the pursuing to /etc/mosquitto/conf.d/tls.conf:

/etc/mosquitto/conf.d/tls.conf

listener 8883 cafile /etc/ssl/certs/ca-certificates.crt certfile /etc/letsencrypt/live/your_domain/fullchain.pem keyfile /etc/letsencrypt/live/your_domain/privkey.pem

Port 8883 is the modular MQTT-over-TLS port. The aforesaid root-only permissions caveat applies: the mosquitto personification requires a deploy hook aliases definitive publication entree to privkey.pem.

The README record successful this directory has much accusation astir each of these files. Most often you’ll only request 2 of these files:

• privkey.pem: The backstage key. Keep this secret. The /etc/letsencrypt directory is root-only for this reason. Most services mention to it successful configuration arsenic ssl-certificate-key aliases ssl-certificate-key-file.
• fullchain.pem: The afloat certificate chain. Most services mention to it arsenic ssl-certificate.

For much accusation connected the different files present, mention to the Where are my certificates? conception of the Certbot docs.

Some package will request its certificates successful different formats, successful different locations, aliases pinch different personification permissions. It is champion to time off everything successful the letsencrypt directory, and not alteration immoderate permissions successful location (permissions will conscionable beryllium overwritten upon renewal anyway), but sometimes that’s conscionable not an option. In that case, you’ll request to constitute a book to move files and alteration permissions arsenic needed. This book will request to beryllium tally whenever Certbot renews the certificates, which the adjacent measurement covers.

Step 4 — Configuring Automatic Renewal

Let’s Encrypt certificates are valid for 90 days. The snap-installed Certbot registers a systemd timer (snap.certbot.renew.timer) that runs certbot renew doubly regular and renews immoderate certificate wrong 30 days of expiry. No manual cron setup is required.

After renewal, Certbot needs to reload aliases restart immoderate work utilizing the certificate to prime up the caller files. In standalone mode, it besides needs to extremity immoderate work holding larboard 80 earlier the renewal effort and restart it afterward. Certbot provides 2 mechanisms for this: the renew_hook action successful the renewal configuration file, and pre/post hook scripts successful the renewal-hooks directories.

To adhd a renew_hook, unfastened Certbot’s renewal configuration record for your domain:

1. sudo nano /etc/letsencrypt/renewal/your_domain.conf

A matter record will unfastened pinch immoderate configuration options. You tin adhd a hook connected the past statement that will reload immoderate web-facing services, making them usage the renewed certificate:

/etc/letsencrypt/renewal/<^>your_domain<^>.conf

renew_hook = systemctl reload your_service

Update the bid supra to immoderate you request to tally to reload your server aliases tally immoderate post-renewal record processing script. Usually, connected Ubuntu, you’ll mostly beryllium utilizing systemctl to reload a service.

Using Pre-Hook and Post-Hook Scripts for Service Restarts

In standalone mode, each renewal effort must hindrance to larboard 80 again to complete the ACME challenge. If a work occupies larboard 80 astatine renewal time, the renewal fails and the certificate yet expires. Pre-hooks extremity the work earlier the renewal attempt; post-hooks restart it after.

Before choosing an approach, statement the downtime tradeoff: successful standalone mode, Certbot must hindrance to larboard 80 for a fewer seconds during the ACME challenge. Any work stopped by the pre-hook is unavailable for that model positive the clip to extremity and restart. For astir non-HTTP services (mail, MQTT, civilization TCP), this is acceptable. If zero-downtime renewal is required, usage a reverse proxy that forwards /.well-known/acme-challenge/ to Certbot’s --http-01-port while your work continues running, but that configuration is extracurricular the scope of this tutorial.

When choosing betwixt the 2 hook approaches below: usage the renewal-hooks directory attack (Approach 1) if you want hooks to tally sloppy of really renewal is triggered. Use the inline flags attack (Approach 2) if you want the hook stored successful the renewal config record and are issuing the certificate interactively. For standalone mode securing a non-HTTP service, Approach 1 is the safer choice.

Approach 1: Hook scripts successful the renewal-hooks directories (recommended for standalone mode).

Create the pre-hook script:

1. sudo tee /etc/letsencrypt/renewal-hooks/pre/stop-service.sh <<'EOF'
2. #!/bin/sh
3. systemctl extremity your_service
4. EOF
5. sudo chmod +x /etc/letsencrypt/renewal-hooks/pre/stop-service.sh

Create the post-hook script:

1. sudo tee /etc/letsencrypt/renewal-hooks/post/start-service.sh <<'EOF'
2. #!/bin/sh
3. systemctl commencement your_service
4. EOF
5. sudo chmod +x /etc/letsencrypt/renewal-hooks/post/start-service.sh

Certbot processes scripts successful these directories based connected erstwhile they tally comparative to a renewal attempt:

• /etc/letsencrypt/renewal-hooks/pre/: runs earlier each renewal attempt, whether aliases not the certificate is really renewed.
• /etc/letsencrypt/renewal-hooks/deploy/: runs only erstwhile a certificate is successfully renewed and deployed.
• /etc/letsencrypt/renewal-hooks/post/: runs aft each renewal attempt, sloppy of outcome.

Note: Replace your_service pinch the systemd portion sanction for your application. For example, usage postfix for a Postfix message server. Run systemctl list-units --type=service to database progressive services and corroborate the correct portion name.

Approach 2: Inline flags astatine certificate issuance (stored successful the renewal config).

1. sudo certbot certonly --standalone \
2. --pre-hook "systemctl extremity your_service" \
3. --post-hook "systemctl commencement your_service" \
4. -d your_domain

Certbot writes these flags to /etc/letsencrypt/renewal/your_domain.conf automatically, truthful they use connected each consequent certbot renew run.

Verifying the Renewal Timer

Check that the systemd timer is progressive and corroborate its adjacent scheduled run:

1. sudo systemctl list-timers | grep certbot

Output

NEXT LEFT LAST PASSED UNIT ACTIVATES Tue 2026-06-09 12:00:00 UTC 5h near Mon 2026-06-08 00:00:00 UTC 6h agone snap.certbot.renew.timer snap.certbot.renew.service

Run a dry-run renewal to corroborate the configuration useful without issuing a caller certificate:

1. sudo certbot renew --dry-run

Output

Congratulations, each simulated renewals succeeded: /etc/letsencrypt/live/your_domain/fullchain.pem (success)

If you spot nary errors, Certbot is group to renew erstwhile basal and tally immoderate commands needed to get your work utilizing the caller certificate files. Note that --dry-run runs pre and station hooks but skips deploy hooks. If you configured a renew_hook successful the renewal configuration record alternatively than pre/post scripts, it will not tally during a dry-run since nary certificate is really issued.

Standalone Mode vs. Other Certbot Modes

Choose the mode that matches whether a web server is already moving connected your instrumentality and whether you request automatic web server configuration updates.

If a web server is already moving connected your machine, for illustration the webroot plugin aliases the Nginx/Apache plugin complete standalone to debar stopping a unrecorded work during renewal. For Nginx, spot How To Secure Nginx pinch Let’s Encrypt connected Ubuntu 20.04. For Apache, spot How To Secure Apache pinch Let’s Encrypt connected Ubuntu 20.04. If you are moving Ubuntu 22.04, the standalone workflow is documented astatine How To Use Certbot Standalone Mode connected Ubuntu 22.04.

Troubleshooting Common Standalone Mode Issues

Port 80 Already successful Use (EADDRINUSE)

If different process is bound to larboard 80, Certbot fails pinch an OSError: [Errno 98] Address already successful usage error. Identify the process holding the port:

1. sudo ss -tlnp 'sport = :80'

Output

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1234,fd=6))

Stop the offending work (example: Nginx):

1. sudo systemctl extremity nginx

Then re-run the certbot certonly --standalone command. After the certificate is issued, restart the service:

1. sudo systemctl commencement nginx

Firewall Blocking Port 80

The ACME HTTP-01 situation fails if Let’s Encrypt’s servers cannot scope larboard 80 connected the nationalist IP of your domain. Check the existent UFW status:

1. sudo ufw status

Output

Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 443 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)

If larboard 80 is not listed arsenic allowed, unfastened it:

1. sudo ufw let 80

Output

Rule added Rule added (v6)

After the certificate is issued, region the norm if your exertion does not service HTTP:

1. sudo ufw delete let 80

Output

Rule deleted Rule deleted (v6)

IPv4/IPv6 Dual-Stack Binding Errors

In immoderate Docker environments and VPS configurations, Certbot whitethorn neglect to hindrance to larboard 80 owed to IPv4/IPv6 dual-stack conflicts. The correction typically reads: Problem binding to larboard 80: Could not hindrance to IPv4 aliases IPv6. Use the --preferred-challenges emblem to unit the HTTP-01 situation explicitly:

1. sudo certbot certonly --standalone --preferred-challenges http-01 -d your_domain

If moving wrong a Docker container, guarantee larboard 80 is mapped from the instrumentality to the big and that nary host-level process is besides binding larboard 80.

Challenge Fails pinch Port 80 Open (DNS/IPv6 Mismatch)

If Certbot returns an correction specified arsenic Connection refused aliases Timeout during link moreover though UFW shows larboard 80 arsenic allowed, the origin is often a DNS AAAA record. Let’s Encrypt prefers IPv6 and will effort to scope your domain complete IPv6 first. If your domain has an AAAA grounds pointing to an reside that is not really serving larboard 80, the situation fails sloppy of your IPv4 firewall rules.

Check whether your domain has an AAAA record:

1. dig AAAA your_domain

Output

;; ANSWER SECTION: your_domain. 300 IN AAAA 2001:db8::1

If the AAAA grounds exists but your server does not person IPv6 configured, either region the AAAA grounds from your DNS supplier aliases guarantee the server’s IPv6 reside is besides listening connected larboard 80. To corroborate IPv6 larboard 80 availability:

1. sudo ss -tlnp 'sport = :80'

Output

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1234,fd=6)) LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=1234,fd=6))

Both an IPv4 (0.0.0.0:80) and IPv6 ([::]:80) introduction should look if your server is dual-stack. If only the IPv4 introduction is coming and an AAAA grounds exists, Let’s Encrypt’s situation will fail.

FAQ

What Is Certbot Standalone Mode and When Should I Use It?

In standalone mode, Certbot temporarily occupies larboard 80 and places a verification token astatine a well-known URL. Let’s Encrypt fetches that token to corroborate you power the domain and past issues the certificate. Use standalone mode erstwhile nary web server is moving connected your system, aliases erstwhile you are securing a non-HTTP work specified arsenic a message server, an MQTT broker, aliases a civilization TCP application.

Do I Need to Stop My Web Server Before Running Certbot successful Standalone Mode?

Yes. Certbot standalone mode binds to larboard 80 to grip the ACME challenge. If Nginx aliases Apache is already bound to larboard 80, Certbot fails pinch a binding error. Stop the web server earlier moving sudo certbot certonly --standalone, past restart it aft the certificate is issued.

How Do I Renew a Let’s Encrypt Certificate Obtained pinch Standalone Mode?

The snap-installed Certbot connected Ubuntu 20.04 registers a systemd timer (snap.certbot.renew.timer) that runs certbot renew doubly daily. For standalone mode, configure pre-hook and post-hook scripts to extremity and restart immoderate work that occupies larboard 80, utilizing either the --pre-hook and --post-hook flags aliases scripts placed successful /etc/letsencrypt/renewal-hooks/. Test the process pinch sudo certbot renew --dry-run.

Where Are the Certificate Files Stored After Certbot Issues Them?

Certificates are stored successful /etc/letsencrypt/live/your_domain/. The files astir services require are fullchain.pem (the afloat certificate concatenation to walk to the work arsenic the SSL certificate), privkey.pem (the backstage key), cert.pem (the end-entity certificate only), and chain.pem (the intermediate concatenation only).

What Happens If Port 80 Is Blocked by a Firewall During Certificate Issuance?

The ACME HTTP-01 situation fails because Let’s Encrypt’s servers cannot scope larboard 80 connected your domain. Open larboard 80 pinch sudo ufw let 80, tally the certbot command, past adjacent it again pinch sudo ufw delete let 80 if your exertion does not service HTTP.

Can I Use Certbot Standalone Mode Inside a Docker Container?

Yes, but larboard 80 must beryllium mapped from the instrumentality to the host, and nary host-level process tin beryllium binding larboard 80 simultaneously. IPv4/IPv6 dual-stack issues tin origin binding failures successful Docker environments. If you brushwood a dual-stack error, guarantee your instrumentality web configuration allows correct larboard mapping, aliases walk --preferred-challenges http-01 to unit the HTTP-01 situation explicitly.

How Long Is a Let’s Encrypt Certificate Valid, and How Often Does It Renew?

Let’s Encrypt certificates are valid for 90 days. Certbot’s systemd timer attempts renewal erstwhile the certificate is wrong 30 days of expiry. If the pre/post hooks are correctly configured and larboard 80 is disposable astatine renewal time, nary manual involution is required.

Is Snap the Recommended Way to Install Certbot connected Ubuntu 20.04?

Yes. The EFF recommends installing Certbot via threat connected Ubuntu 20.04 and later. The python3-certbot apt package is nary longer actively maintained upstream. Installing via threat ensures you person the latest Certbot releases automatically done the threat refresh mechanism.

Conclusion

In this tutorial, you installed Certbot via threat connected Ubuntu 20.04, configured the firewall to let the ACME HTTP-01 situation connected larboard 80 and HTTPS postulation connected larboard 443, obtained a certificate pinch certbot certonly --standalone, verified the certificate specifications pinch openssl, and configured automatic renewal utilizing pre-hook and post-hook scripts alongside the Certbot systemd timer.

The certificate files astatine /etc/letsencrypt/live/your_domain/ are now disposable to configure TLS for immoderate work moving connected your server. The certificate renews automatically without manual intervention, provided the pre/post hooks support larboard 80 free during each renewal attempt.

For adjacent steps, mention to the pursuing resources:

• For Nginx: How To Secure Nginx pinch Let’s Encrypt connected Ubuntu 20.04
• For Apache: How To Secure Apache pinch Let’s Encrypt connected Ubuntu 20.04
• For Ubuntu 22.04: How To Use Certbot Standalone Mode connected Ubuntu 22.04
• Certbot documentation: https://eff-certbot.readthedocs.io/en/stable/