Let’s Encrypt provides free, trusted TLS certificates, and Certbot is the official client for obtaining and renewing them automatically. On RHEL 8, Certbot is available through the EPEL repository and integrates tightly with both Nginx and Apache via dedicated plugins. Automating renewals with the built-in systemd timer ensures your certificates never expire without manual intervention. This tutorial walks through installing Certbot, issuing a certificate for a domain, and verifying that automatic renewals are working correctly.
Prerequisites
- RHEL 8 server with a fully qualified domain name (FQDN) pointing to its public IP
- Nginx or Apache installed and serving HTTP traffic on port 80
- EPEL 8 repository enabled (
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm) - Root or
sudoaccess - Port 80 and 443 open in
firewalld
Step 1 — Enable EPEL and Install Certbot
EPEL 8 provides Certbot and both the Nginx and Apache plugins. Install the package that matches your web server.
# Enable EPEL if not already active
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
# For Nginx
dnf install -y certbot python3-certbot-nginx
# For Apache
dnf install -y certbot python3-certbot-apache
# Confirm installation
certbot --versionStep 2 — Obtain a Certificate
Use the --nginx or --apache flag so Certbot automatically edits your web server configuration to enable HTTPS and redirect HTTP traffic.
# Nginx (replace domain.com with your actual domain)
certbot --nginx -d domain.com -d www.domain.com
# Apache
certbot --apache -d domain.com -d www.domain.com
# Standalone mode (no web server running on port 80)
certbot certonly --standalone -d domain.comFollow the prompts to supply an email address and accept the Terms of Service. Certbot writes the certificate to /etc/letsencrypt/live/domain.com/.
Step 3 — Test Automatic Renewal
Before relying on the timer, perform a dry run to confirm that the renewal process will succeed without actually replacing certificates.
# Simulate renewal without modifying certificates
certbot renew --dry-run
# Expected output includes:
# Congratulations, all simulated renewals succeededStep 4 — Verify the systemd Timer
Certbot installs a systemd timer that triggers renewal checks twice daily (at a randomised offset). Confirm it is active and review the next scheduled run.
# Check timer status
systemctl status certbot.timer
# List all certbot-related units
systemctl list-timers --all | grep certbot
# Enable and start the timer if it is not already running
systemctl enable --now certbot.timerStep 5 — Inspect Installed Certificates
Use certbot certificates to view every certificate managed on this server along with its expiry date and the domains it covers.
# List all certificates and expiry dates
certbot certificates
# Sample output:
# Certificate Name: domain.com
# Domains: domain.com www.domain.com
# Expiry Date: 2026-08-15 (VALID: 89 days)
# Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pemStep 6 — Add Pre-Hook and Post-Hook Scripts
Hooks let you run commands before and after each renewal — for example, stopping a service that binds port 80 or reloading the web server after a new certificate is installed.
# Create a pre-hook to stop a standalone service (if needed)
cat > /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh < /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh << 'EOF'
#!/bin/bash
systemctl start nginx
systemctl reload nginx
EOF
chmod +x /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
# Hooks are also accepted via --pre-hook / --post-hook flags
certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"Conclusion
You have installed Certbot on RHEL 8, obtained a Let’s Encrypt certificate using the Nginx or Apache plugin, confirmed automatic renewal with a dry run, and verified that the systemd timer fires twice daily. Pre-hook and post-hook scripts give you fine-grained control over service management during the renewal window, ensuring zero-downtime certificate rotation.
Next steps: How to Configure Nginx with HTTP/2 and SSL on RHEL 8, How to Set Up a Wildcard Certificate with Certbot on RHEL 8, and How to Harden TLS Configuration with Mozilla SSL Config Generator on RHEL 8.
