CertBot是一个ACME代理, ACME协议是一个证书自动管理环境的协议。以下引自维基百科:

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers, allowing the automated deployment of public key infrastructure at very low cost.[1][2] It was designed by the Internet Security Research Group (ISRG) for their Let's Encrypt service.[1]

CertBot与Let's Encrypt(LE)的关系是客户端与服务端的关系,两者通过ACME协议实现对证书的自动管理。


CertBot与LE配合可以为大家提供免费的可信证书,LE目前只支持DV(Domain Validation)这种方式的证书发放。




Authenticators are plugins used with the certonly command to obtain a certificate. The authenticator validates that you control the domain(s) you are requesting a certificate for, obtains a certificate for the specified domain(s), and places the certificate in the /etc/letsencrypt directory on your machine. The authenticator does not install the certificate (it does not edit any of your server’s configuration files to serve the obtained certificate). If you specify multiple domains to authenticate, they will all be listed in a single certificate. To obtain multiple separate certificates you will need to run Certbot multiple times.

Installers are Plugins used with the install command to install a certificate. These plugins can modify your webserver’s configuration to serve your website over HTTPS using certificates obtained by certbot.

Plugins that do both can be used with the certbot run command, which is the default when no command is specified. The run subcommand can also be used to specify a combination of distinct authenticator and installer plugins.


比如apache服务器,Authenticator与Installer都有,其中Challenge types (and port)只支持tls-sni-01 (443),

也就是说apache插件使用tls-sni-01这种方式来向LE完成Domain Validation。具体的tls-sni-01的详细验证方式请参见:


standalone的服务器,只有Authenticator,支持http-01 (80) or tls-sni-01 (443)这两种Challenge types。

其中http-01的详细方式可以参看LE官网,因为有配图,可能会比 ietf.org中的描述更好理解一些。