Simplifying SSL with Let’s Encrypt and CLI.ini: A DevOps Guide

In the vast expanse of the internet, security is not just a luxury; it’s a necessity. For web developers and system administrators, ensuring that web traffic is encrypted is a foundational aspect of protecting users’ data. Enter Let’s Encrypt, a free, automated, and open Certificate Authority (CA) that has revolutionized the way we secure websites. This guide aims to unravel the complexities of using Let’s Encrypt, focusing on the power of the cli.ini configuration file, and providing a comprehensive introduction to securing your web servers with HTTPS.

Introduction to Let’s Encrypt

Let’s Encrypt is a free service that provides digital certificates to enable HTTPS (SSL/TLS) for websites, thereby ensuring secure connections. What sets Let’s Encrypt apart is its simplicity and automation. With a few commands, you can obtain and renew certificates without the need to manually generate Certificate Signing Requests (CSRs) or configure your server to serve the right certificate.

The Role of Certbot and CLI.ini

Certbot is the most popular Let’s Encrypt client, designed to simplify the process of obtaining and renewing certificates. While Certbot’s command-line interface is intuitive, managing multiple certificates or automating the renewal process can become tedious. This is where the cli.ini file becomes invaluable.

The cli.ini file allows you to specify Certbot options in a configuration file, making it easier to automate and standardize certificate management across your infrastructure. With cli.ini, you can pre-define settings for email contact, webroot paths, security policies, and more.

Getting Started with Let’s Encrypt and Certbot

Before diving into the specifics of the cli.ini file, let’s outline the steps to get started with Let’s Encrypt and Certbot:

  1. Installation: The first step is to install Certbot on your server. This varies by operating system and web server, but Certbot’s website provides tailored instructions for most environments.
  2. Obtaining a Certificate: After installation, you can obtain a certificate using various plugins like webroot, standalone, or nginx. The choice of plugin depends on your server setup and how you prefer to validate domain ownership.
  3. Automating Renewal: Certbot can automatically renew your certificates before they expire. Setting up a cron job or a systemd timer ensures your certificates are always up to date without manual intervention.

Understanding CLI.ini Configuration

The cli.ini file is the heart of automating and customizing Certbot’s behavior. Located in Certbot’s configuration directory (mostly /etc/letsencrypt/cli.ini), this file contains global flags and settings applied to every Certbot command. Here’s how to make the most of it:

Basic Configuration Options

  • Email and Agreement: Automate the agreement to terms of service and specify your contact email for important notifications.

email = [email protected]
agree-tos = True

  • Non-Interactive Mode: Essential for automation, this option runs Certbot without waiting for user input.

non-interactive = True

Security and Performance

  • Key Size and Type: Define the RSA key size or opt for an ECDSA key for better performance.

rsa-key-size = 2048
key-type = ecdsa
elliptic-curve = secp384r1

  • OCSP Must-Staple: Enhance security by requesting certificates with the OCSP Must-Staple extension.

must-staple = True

Domain and Webroot Configuration

For those using the webroot plugin, specifying your domains and webroot paths in cli.ini simplifies the command you need to run.

authenticator = webroot
domains =,
webroot-path = /var/www/html

Hooks: Automating Service Management

Certbot can execute scripts before and after certificate renewal, allowing you to automate service restarts or configuration changes.

pre-hook = systemctl stop nginx
post-hook = systemctl start nginx

Advanced Configuration: Standalone Mode and HTTP Challenges

If you’re using Certbot’s standalone mode, especially when no web server is running, you might need to specify alternative ports for the HTTP-01 challenge.

authenticator = standalone
http-01-port = 8080