Search notes:

Let's Encrypt

Let's Encrypt is a Certification Authority (CA) which issues certificates that are required to enable HTTPS for a website/web server. Let's Encrypt will issue such a certificate to everyone who demonstrates to have control over the server where the webserver runs.
Let’s Encrypt is a joint project of EFF, Mozilla and many other sponsors.

Certbot

Certbot is the ACME client (see RFC 8555) recommended by Let's Encrypt (a list of other client implementations is here).
Certbot fetches a certificate from Let's Encrypt. Generated keys and fetched certficates are stored under /etc/letsencrypt/live/$domain ($domain = certificate name).
Certbot is meant to be run on the machine where the webserver is hosted.
If Certbot is run with root privileges, it is able to automatically configure TLS/SSL for Apache and nginx.
Most modern Linux distributions (basically any that use systemd) can install Certbot packaged as a snap.
Some commands:
Log file: /var/log/letsencrypt.

APT package certbot

Some interesting files in the APT package certbot are: 
$ apt-file show certbot
certbot: /etc/cron.d/certbot
certbot: /etc/letsencrypt/cli.ini
certbot: /etc/logrotate.d/certbot
certbot: /lib/systemd/system/certbot.service
certbot: /lib/systemd/system/certbot.timer
certbot: /usr/bin/certbot
certbot: /usr/bin/letsencrypt
  …

nginx-confgen

$ apt show python3-certbot-nginx 2>/dev/null | grep Description
Description: Nginx plugin for Certbot

apache/nginx

I found the following insight of Allan John (LetsEncrypt: Multiple IP address One domain) interesting:
When certbot is run with apache or nginx plugin, certbot spins up a dummy webserver with an acme-challenge file, so that when letsencypt wants to validate the domain and reach out to the server, this challenge file is served by certbot. Once verified, the dummy server is destroyed with the challenge files and generating the certificate and storing on the server

Staging Environment

Let's encrypt recommends to use its staging environment for tests before using their production environment.
The ACME URL for the staging environment is https://acme-staging-v02.api.letsencrypt.org/directory.
When using certbot, the --test-cert option instructs it to use the staging environment.

See also

The Python library certbot
RFC 8555
The deb package certbot
/etc/letsencrypt
/var/log/letsencrypt/letsencrypt.log

Links

Ask questions on the Let's Encrypt Community Forum
github repository certbot
https://acme-v02.api.letsencrypt.org/directory and /etc/letsencrypt/accountes/acme-v02.api.letsencrypt.org/directory/0123456789abcdef0123456789abcdef
The public certificate transparency log: https://crt.sh/?q=osm.renenyffenegger.ch

Index

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 8 attempt to write a readonly database in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php:51 Stack trace: #0 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(51): PDOStatement->execute(Array) #1 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(68): id_of(Object(PDO), 'referrer', 'https://renenyf...') #2 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(30): insert_webrequest_('/notes/developm...', 1743723562, '18.116.61.213', 'Mozilla/5.0 App...', 'https://renenyf...') #3 /home/httpd/vhosts/renenyffenegger.ch/httpsdocs/notes/development/security/cryptography/SSL-TLS/Lets-Encrypt/index(128): insert_webrequest() #4 {main} thrown in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php on line 51