Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Set up automatic TLS certificates for your Apache HTTP Server using Infisical and Certbot. Apache has excellent Certbot integration for both certificate-only mode and automatic SSL configuration.
This guide assumes you have an Application with ACME enrollment configured.

Prerequisites

  • An Apache HTTP Server running on Linux with administrative access
  • An Application in Infisical with ACME enrollment configured
  • Network connectivity from your Apache server to Infisical
  • Port 80 open for HTTP-01 validation

Guide

1

Get ACME Credentials from Infisical

In your Application, go to the Settings tab and find the Certificate Profiles section. Click Configure on the profile with ACME enrollment, then click Reveal ACME EAB to view the credentials:
CredentialPurpose
ACME Directory URLThe URL Certbot uses to communicate with Infisical
EAB Key Identifier (KID)Identifies your ACME account
EAB SecretAuthenticates your ACME client
Keep your EAB credentials secure. They authenticate your ACME client with Infisical and are unique to each enrollment.
2

Install Certbot

Install Certbot with the Apache plugin on the server where Apache is running by following the official Certbot installation guide.The installation guide provides up-to-date instructions for various Linux distributions and package managers, ensuring you get the most current version and proper Apache plugin integration.After installation, you can verify that Certbot has been installed correctly by running:
certbot --version
3

Request Certificate Using Certbot

Run the following command to request a certificate from Infisical:
sudo certbot certonly \
  --apache \
  --server "https://your-infisical-instance.com/api/v1/cert-manager/acme/applications/{application-id}/profiles/{profile-id}/directory" \
  --eab-kid "your-eab-key-identifier" \
  --eab-hmac-key "your-eab-secret" \
  -d example.infisical.com \
  --email admin@example.com \
  --agree-tos \
  --non-interactive
For guidance on each parameter:
  • certonly: Instructs Certbot to request a certificate without modifying your Apache configuration files; this mode is recommended if you prefer to manage your Apache SSL configuration manually or have a complex setup.
  • --apache: Specifies the Apache plugin so Certbot can solve the HTTP-01 challenge by creating temporary files served by Apache.
  • --server: The Infisical ACME directory URL from Step 1. This instructs Certbot to communicate with Infisical’s ACME server instead of Let’s Encrypt.
  • --eab-kid: Your External Account Binding (EAB) Key Identifier from Step 1.
  • --eab-hmac-key: The EAB secret associated with the KID from Step 1.
  • -d: Specifies the domain name for which the certificate is being requested.
  • --email: The contact email for expiration notices and account recovery.
  • --agree-tos: Accepts the ACME server’s Terms of Service.
  • --non-interactive: Runs Certbot without prompting for user input (recommended for automation).
The Certbot command generates a private key on your server, creates a Certificate Signing Request (CSR) using that key, and sends the CSR to Infisical for certificate issuance. Certbot stores the private key and resulting leaf certificate and full certificate chain in /etc/letsencrypt/live/{domain-name}/.If --certonly is used: Certbot does not modify your Apache configuration, so you must manually update your Apache virtual host to reference the new certificate files and reload the server to apply the changes.Here’s an example SSL virtual host configuration for Apache:
<VirtualHost *:443>
    ServerName example.infisical.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.infisical.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.infisical.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.infisical.com/chain.pem

    # Your existing configuration...
</VirtualHost>
After updating the virtual host configuration, test and reload Apache to apply the changes:
sudo apache2ctl configtest
sudo systemctl reload apache2
If --certonly was not used: Certbot uses installer mode, which attempts to automatically configure HTTPS by updating your Apache virtual host configuration and reloading the server if needed.At this point, your Apache server should be successfully serving HTTPS using the certificate issued by Infisical.
4

Verify Certificate Installation

After configuring Apache SSL, verify that your certificate was issued correctly and Apache is serving it properly.Check that the certificate files were created by Certbot:
sudo ls -la /etc/letsencrypt/live/example.infisical.com/
You should see files like:
  • cert.pem (your certificate)
  • chain.pem (certificate chain)
  • fullchain.pem (certificate + chain)
  • privkey.pem (private key)
5

Renew Your Certificate with Certbot

Certbot automatically installs a systemd timer during installation. This timer runs twice per day and checks whether any certificates are due for renewal. Because Certbot stores the ACME server URL and EAB credentials from your initial request, renewal will automatically use the same Infisical ACME configuration—no additional settings are required.Note that Certbot automatically renews certificates when they are within 30 days of expiration; renewal settings can be adjusted in /etc/letsencrypt/renewal/{domain-name}.conf.
# ... your existing configuration ...

renew_before_expiry = 30 days
To test the renewal process, run the following command:
sudo certbot renew --dry-run
This command simulates the full renewal process without modifying your active certificate. If the dry run succeeds, automatic renewal will work as expected.To trigger an actual renewal immediately, run the following command:
sudo certbot renew --force-renewal
Note that after a certificate is renewed, Apache must be reloaded so it can begin using the new certificate. To do this, run the following command:
sudo systemctl reload apache2
To automate the process of renewing a certificate and reloading Apache, you can create a simple deploy hook that Certbot will run after every successful renewal.Inside /etc/letsencrypt/renewal-hooks/deploy/reload-apache.sh, add the following:
#!/bin/sh
systemctl reload apache2
Then make the hook executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-apache.sh
Alternatively, you can use the --post-hook option when manually renewing:
sudo certbot renew --post-hook "systemctl reload apache2"
Certbot automatically renews certificates when they are within 30 days of expiration using its built-in systemd timer. The deploy hook above will run after each successful renewal, handling the Apache reload automatically. Apache has native Certbot plugin integration, so no additional configuration is typically needed.

What’s Next?

Nginx with Certbot

Set up ACME for Nginx web servers.

Certificate Syncs

Push certificates to cloud destinations.

Alerting

Get notified when certificates are about to expire.

ACME Enrollment

Learn more about ACME enrollment configuration.