How do I use EuropeanSSL with Certbot?

Unlike, for example, acme.sh, Certbot requires root privileges. Installation on shared or managed hosting is therefore generally not possible unless provided by the service provider. In this case, check whether Certbot is already pre-installed by running certbot --version. If not, we recommend using another ACME client, such as acme.sh.

The installation depends on your server's operating system. The following commands are examples for installation on Debian or other Linux distributions based on the "apt" package manager.

Choose between certbot with the Apache plugin:

sudo apt install certbot python3-certbot-apache

or with the Nginx plugin:

sudo apt install certbot python3-certbot-nginx

depending on which web server you are using.

To use EuropeanSSL with the ACME protocol, you must first create an ACME account in the Eunetic customer interface. This will provide you with credentials for the so-called "External Account Binding" (EAB), consisting of a key (HMAC Key) and a corresponding user identification (Key ID). You can find further details about EuropeanSSL ACME accounts in the FAQ entry:

 What is a EuropeanSSL ACME account and how are SSL certificates billed?

You can use EuropeanSSL as the default CA for Certbot by editing Certbot's cli.ini configuration file:

sudo nano /etc/letsencrypt/cli.ini

Add the following line to it (or replace an existing configuration of the "server" parameter):

server = https://acme.eunetic.net/dv
eab-kid = <EAB KEY ID>
eab-hmac-key = <EAB HMAC KEY>

For certificates with organization validation (OV), replace /dv with /ov.

Replace the <> placeholders with the values shown to you in our customer interface using the "EAB credentials" button.

From now on, you can retrieve and install certificates for all domains set up in your ACME account. For example, the following command retrieves a simple single certificate for the domain "yourdomain.com" and uses the Nginx plugin for automatic setup on the web server.

sudo certbot --nginx \
  --agree-tos \
  --email hostmaster@ihredomain.de \
  --d yourdomain.com \

If you are using Apache, replace --nginx with --apache.

Specifying an email address via the --email parameter is optional; if desired, you will receive notifications about upcoming renewals or error messages.

IMPORTANT: If you did not complete the optional step 3, add the following parameters to the above command:

  --server https://acme.sectigo.com/v2/DV \
  --eab-kid <EAB KEY ID> \  
  --eab-hmac-key <EAB HMAC KEY> \

The certificates are valid for a maximum of 90 days and will be automatically renewed by Certbot every 60 days, until you remove the job with sudo certbot delete or your ACME account expires.

You can combine multiple domains into one certificate by appending each of them to the command with -d yourotherdomain.com. Wildcard domains can also be included with -d '*.yourdomain.com'. However, make sure that you have previously ordered and activated all listed domains in the EuropeanSSL ACME account for the certificate request.

For more information, please refer to the official documentation.