77

I am writing a bash script which bootstraps the whole project infrastructure in the freshly installed server and i want to configure ssl installation with letcecrypt certbot. After I execute line:

certbot --nginx -d $( get_server_name ) -d www.$( get_server_name ).com

I get prompted for few questions. Can certbot be run without any interactions while passing some of the params as arguments or something ?

Jesse Nickles
  • 1,435
  • 1
  • 17
  • 25
Laimonas Sutkus
  • 3,247
  • 2
  • 26
  • 47

2 Answers2

123

You can run certbot 'silently' by adding the following options:

--non-interactive --agree-tos -m webmaster@example.com

The full list of config options is available here:

https://certbot.eff.org/docs/using.html

match
  • 10,388
  • 3
  • 23
  • 41
  • 11
    also include '--domains' – Arno Duvenhage May 16 '19 at 12:41
  • 2
    Keep in mind that `--non-interactive` is not fail-proof, and the certificate will still fail to generate if the 3 mandatory flags are missing (see my answer for more info). – Jesse Nickles Nov 06 '19 at 11:20
  • Did not work. I got this error ```Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line. Run with '--help plugins' to see a list of options, and see https://eff.org/letsencrypt-plugins for more detail on what the plugins do and how to use them. ``` – Ahmed Nov 07 '19 at 17:20
  • 3
    Ahmed, you're missing `--apache`, or `--nginx`, or whatever server you're using. I found the "also include `--domains`" comment insufficient, by the way - wasn't clear to me that the server name needs to follow it. Here's my full command format, which worked (with root): `certbot --nginx --non-interactive --agree-tos --domains example.com --email webmaster@example.com` – DHW Dec 20 '19 at 03:51
  • @Ahmed Can you help me what's the mean The Name Server domain is not reachable from the Internet because there is a firewall or filtering router that is blocking connections to port 53 on this host for both UDP and TCP connections. The firewall configuration must permit connections on this port from any host on the Internet for the DNS to function properly. – Kwall May 17 '21 at 20:03
  • Looks like `--non-interactive` is now `-n` (version 1.18.0), so a complete example is `certbot certonly -n -d example.com --agree-tos -m me@example.com` – danialk Aug 15 '21 at 12:07
  • `--non-interactive` still working, however, `-d` arg is not working anymore, it could `--domains mydomain.com` – Marc Guillem Dec 09 '21 at 17:53
32

There are several inline flags and "subcommands" (their nickname) provided by Certbot that can help to automate the process of generating free SSL certificates using Bash or shell scripts.

The most relevant flag as mentioned by @match is:

  • --noninteractive ...or alternatively... --non-interactive

However in reality this flag is not very helpful, because it doesn't do very much. If there are critical flags missing from your script, for example, the certificate will still fail to generate. Frankly, I think it would be better for Certbot to cancel the above flag, because it's rather misleading.

Here are the minimum flags required:

  1. --agree-tos
  2. --register-unsafely-without-email ...or... -m username@example.com
  3. -d example.com and/or -d www.example.com

You also must specify what type of Let's Encrypt installer plugin (environment) you want, for example you can choose from "standalone" or "manual" etc... for most cases, like a WordPress web server, you should choose "webroot" so that Certbot can easily verify ownership via the public root (make sure access to /.well-known* is not blocked):

--webroot -w /var/www/html/

Here is the complete command we use in SlickStack to install SSL certs:

## install Certbot SSL certificate ##
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_TLD} -d www.${SITE_TLD} -d staging.${SITE_TLD} -d dev.${SITE_TLD} --register-unsafely-without-email --webroot -w /var/www/html/

In our case we hardcode the --cert-name to be slickstack because only one website is installed on each VPS server, so it makes other server admin tasks (and scripts) easier to manage. However, if you are installing several domains and SSL certs on the same server, you could change the subcommand --cert-name to be named after each TLD domain instead, etc. This affects the SSL directory names, thus helping to keep your files/folders nice and tidy.

Jesse Nickles
  • 1,435
  • 1
  • 17
  • 25
  • 1
    NICE :) ```certbot certonly --noninteractive --agree-tos --cert-name ${SITE_TLD} -d ${SITE_DOMAIN_ONE} -d ${SITE_DOMAIN_TWO} -m ${SSL_EMAIL} --webroot -w /var/www/html/``` – Dr Deo Jun 03 '20 at 18:34
  • sudo certbot --noninteractive --agree-tos --no-eff-email --cert-name domain.com --apache --no-redirect -d domain.com -d www.domain.com -m siteadminsemail@gmail.com – Dr Deo Jun 12 '20 at 09:29
  • the error message is misleading, as it led me to believe I could make a separate invocation using only the `--agree-tos` and `-m` options to get that out of the way, and then subsequently would not need it. That does not seem to be the case. On a different host I never need to use this and it was long enough ago I don't recall what I did. – Michael Mar 05 '23 at 19:34