(gnu services certbot) module provides a service to
automatically obtain a valid TLS certificate from the Let’s Encrypt
certificate authority. These certificates can then be used to serve
content securely over HTTPS or other TLS-based protocols, with the
knowledge that the client will be able to verify the server’s
Let’s Encrypt provides the
certbot tool to automate the certification process. This tool
first securely generates a key on the server. It then makes a request
to the Let’s Encrypt certificate authority (CA) to sign the key. The CA
checks that the request originates from the host in question by using a
challenge-response protocol, requiring the server to provide its
response over HTTP. If that protocol completes successfully, the CA
signs the key, resulting in a certificate. That certificate is valid
for a limited period of time, and therefore to continue to provide TLS
services, the server needs to periodically ask the CA to renew its
The certbot service automates this process: the initial key generation, the initial certification request to the Let’s Encrypt service, the web server challenge/response integration, writing the certificate to disk, and the automated periodic renewals.
A service type for the
certbot Let’s Encrypt client.
Data type representing the configuration of the
This type has the following parameters:
The certbot package to use.
The directory from which to serve the Let’s Encrypt challenge/response files.
A list of hosts for which to generate certificates and request signatures.
default-location(default: see below)
needs to be able to serve challenges and responses, it needs to be able
to run a web server. It does so by extending the
service with an
nginx-server-configuration listening on the
hosts on port 80, and which has a
nginx-location-configuration for the
path subspace used by Let’s Encrypt. See Web Services, for more on
these nginx configuration data types.
Requests to other URL paths will be matched by the
default-location, which if present is added to all
By default, the
default-location will issue a redirect from
you to define what to serve on your site via
#f to not issue a default location.
The public key and its signatures will be written to
/etc/letsencrypt/live/host/fullchain.pem, for each
host in the configuration. The private key is written to