Getting started with Let's Encrypt and haproxy

I'm in the process of configuring ha-proxy so that it can handle https and http, with a tomcat server as the backend. My current need is:

how do I get the certificates for the first time from LetsEncrypt? Is my understanding correct that I need a certificate and a private key for
Is certbot the tool enabling me to get these certificates? What would be the command when I only need the certificates. Putting them into the right directories etc. I would do manually later
as well as establishing the cron job for updating. For use with haproxy I need to put the files (cert and .key) first into on single PEM file. I'm using a recipe I found at

Thanks in advance for helping.


I got a bit further. Seems that I solved getting the certificate using

certbot certonly --apache -d

I was advised to use --apache instead of --standalone (the latter didn't seem to work)

root@mydomain:~# certbot certonly --standalone -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

But using --apache instead worked. Don't know whether this had to do with the failing of:

root@mydomain:~# snap install --classic certbot
error: snap "certbot" is not available on stable but is available to install on
       the following channels:

       edge       snap install --edge certbot

       Please be mindful pre-release channels may include features not
       completely tested or implemented. Get more information with 'snap info

I'm curious...
What says?:
certbot --version

1 Like

certbot 0.31.0

I see.
Well then those instructions are as old as that version is - LOL

It's good to know that it can work but I would try removing it and updating to a snap version following instructions found at:

It for whatever reason the snap version can't install - open another topic specific to that and reinstall the current version.
None the the certs will be harmed by these steps.

Additionally, if you do need a cert for those other names, start by configuring HTTP vhosts for them (or using one "catchall" vhost) and then issuing them certs.
OR one single cert with all the names on it (simpler):

certbot certonly --apache \
-d -d -d -d ...

Ah, thanks. I already requested certs for smtp, mail, www using distinct commands.
What should I do with these certs now? Can I toss these valuable certs unconcernedly?

1 Like

You can use them "individually" or get a replacement with all the names on it.
Either way is fine.
I just find it "simpler" to combine like names onto a single cert.

1 Like

Thanks. I'll stay now it the individual files. The automatic update (cron) after a couple of months isn't established yet, is it?

Just a note: postfix smtp/tls now works again (first time using letsencrypt) befor that I had to purchase certificates every couple of years. Thanks a lot for providing Let'sEncrypt.


Show the output of:
crontab -l
sudo crontab -l

1 Like
crontab -l 

(as root) doesn't give any results that refer to certbot (only my own scripts I created for other purposes). OTOH, on a different system where I established Let'sEncrypt a couple of months ago and where the automatic update works, I don't see any crontab entries either.

OK, how about?:
systemctl list-timers | grep certbot

1 Like

Aha, thanks.:

# systemctl list-timers | grep certbot
Mon 2021-11-15 20:38:47 CET  3h 57min left Mon 2021-11-15 05:44:23 CET  10h ago      certbot.timer                certbot.service
Description=Run certbot twice daily

OnCalendar=*-*-* 00,12:00:00


ExecStart=/usr/bin/certbot -q renew

Hope I hit the right ones. But twice a day? Isn't that whole lot of too much?
Or ist the update interval buried elsewhere?

It runs twice a day, but will only do anything if necessary. So mostly it's just checking if it should do anything and quits without renewing.


Where is the actual action deposited that crontab is performing? Where does it know when the renewal is due?

crontab -l
should show the action ("certbot renew") and the frequency (twice a day).

You can review the certs (as certbot does) with:
certbot certificates
Once the expiry is below the threshold (default 30 days left), certbot will attempt to renew that cert based on the settings stored in the corresponding /etc/letsencrypt/renewal/CERT-NAME.conf file.

1 Like

Sorry, my question was put inprecise since crontab isn't involved. It's timers that do the task.
crontab -l doesn't yield anything as I already stated somewhere above.

Then systemd timer should do the same thing: Execute "certbot renew" twice a day.

1 Like

OK. Thanks. Then it's the line /lib/systemd/system/certbot.service

ExecStart=/usr/bin/certbot -q renew

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.