GetHTTPS and Certbot both issue free SSL certificates from Let’s Encrypt, but they take fundamentally different approaches. GetHTTPS runs in your browser — zero installation, zero server access. Certbot runs on your server as a command-line tool with automatic renewal and web server integration.
Both tools produce the exact same Let’s Encrypt certificates. The difference is entirely in how you get there. This guide compares every dimension so you can pick the right tool for your situation.
What is GetHTTPS?
GetHTTPS is a browser-based ACME client. You open a web page, enter your domain, complete a challenge, and download your certificate files. No software to install, no account to create, no server access needed.
Your private key is generated in your browser using the Web Crypto API and never leaves your device — not even to GetHTTPS’s servers. The tool talks directly to Let’s Encrypt’s ACME API with no proxy or middleware.
GetHTTPS is free to use.
What is Certbot?
Certbot is the official ACME client recommended by Let’s Encrypt, maintained by the Electronic Frontier Foundation (EFF). It’s a command-line Python tool that runs on your server, obtains certificates, configures your web server, and handles automatic renewal.
Certbot requires root/sudo access and is typically installed via snap, pip, or Docker. It’s open source (Apache 2.0 license) and free.
Full comparison table
| Feature | GetHTTPS | Certbot |
|---|---|---|
| Runs in | Browser tab | Server command line |
| Installation | None — open a URL | snap, pip, or Docker |
| Server access needed | No | Yes (root/sudo) |
| Operating system | Any (just a browser) | Linux, macOS (Windows dropped) |
| Private key generation | Browser (Web Crypto API) | Server (OpenSSL/Python) |
| Private key storage | Downloaded by you | /etc/letsencrypt/ on server |
| Auto-renewal | ❌ Manual re-visit | ✅ systemd timer / cron |
| Web server auto-config | ❌ Manual | ✅ Nginx/Apache plugins |
| Challenge types | HTTP-01, DNS-01 | HTTP-01, DNS-01, TLS-ALPN-01 |
| Pre-check before submit | ✅ | ❌ |
| Wildcard support | ✅ (DNS-01) | ✅ (DNS-01) |
| Multi-domain (SAN) | ✅ (up to 100) | ✅ (up to 100) |
| ECDSA keys | ✅ P-256 (default) | ✅ (flag required) |
| Dependencies | None | Python, snapd, or Docker |
| Certificate authority | Let’s Encrypt | Let’s Encrypt (default), others |
| Open source | No | Yes (Apache 2.0) |
| Price | Free | Free |
When to use GetHTTPS
You don’t have SSH access to the server
This is the most clear-cut scenario. Shared hosting, managed WordPress, a server behind a corporate firewall — if you can’t install software, GetHTTPS is your only browser-based option that keeps private keys local.
You get the certificate files (privkey.pem, fullchain.pem) and upload them through whatever method your host provides: cPanel, Plesk, FTP, or a file manager.
You want zero installation and zero dependencies
Open a browser tab, get your certificate, done. No Python version conflicts, no snap confinement issues, no Docker images. If you’ve ever spent 30 minutes debugging why certbot won’t install on your system, you know why this matters.
GetHTTPS works on any operating system with a modern browser — including Windows, macOS, ChromeOS, and even a tablet in a pinch.
You want maximum control over your private key
GetHTTPS generates the private key in your browser using the Web Crypto API. The key exists only in browser memory until you click download. It’s never written to disk on any server, never transmitted over the network, never stored anywhere you can’t see.
With Certbot, the key is generated on the server and stored at /etc/letsencrypt/live/yourdomain/privkey.pem. This is fine if you trust the server — but anyone with root access can read it. In cloud environments with shared infrastructure, this matters.
You’re getting a certificate for someone else
DevOps generating a cert for a client’s server. Helping a non-technical teammate. Getting a certificate for a server you don’t manage. GetHTTPS lets you generate the cert and hand over the files without accessing the other person’s server.
You need a quick one-off certificate
Staging environment. Test deployment. New project where you haven’t set up automation yet. GetHTTPS gets you a cert in 3-5 minutes with zero setup overhead.
When to use Certbot
You want automatic renewal (the #1 reason)
Certbot’s killer feature: a systemd timer (or cron job) that renews certificates before they expire. No manual intervention, no forgotten renewals, no 3 AM scrambles when a cert expires on a Friday.
# Certbot checks twice daily, renews if within 30 days of expiry
sudo systemctl list-timers | grep certbot
# NEXT LEFT UNIT
# 2026-05-08 14:22:00 UTC 3h left snap.certbot.renew.timerWith Let’s Encrypt’s 90-day validity (and the upcoming 47-day validity), auto-renewal isn’t a nice-to-have — it’s essential for production servers.
You want automatic web server configuration
Certbot’s --nginx and --apache plugins modify your server config to enable HTTPS — including SSL directives, redirects, and recommended cipher settings. One command does everything:
# Certbot obtains cert AND configures Nginx
sudo certbot --nginx -d example.com -d www.example.com
# What it does behind the scenes:
# 1. Generates a key pair
# 2. Proves domain control (HTTP-01 on port 80)
# 3. Gets the certificate from Let's Encrypt
# 4. Writes ssl_certificate/ssl_certificate_key to your Nginx config
# 5. Adds a redirect from HTTP to HTTPS
# 6. Reloads NginxWith GetHTTPS, you do all of this manually — get the cert, upload the files, edit the config, set up the redirect, reload the server. More control, but more work.
You manage infrastructure at scale
Certbot can be scripted, containerized, and deployed with configuration management tools:
# Ansible playbook snippet
- name: Install certbot
snap:
name: certbot
classic: true
- name: Get certificate
command: certbot --nginx -d {{ domain }} --non-interactive --agree-tos -m {{ email }}For 10+ servers, scripted Certbot is faster than visiting GetHTTPS for each one.
You need TLS-ALPN-01 challenges
This challenge type validates over port 443 without file placement or DNS modification. It’s useful when port 80 is blocked and you can’t modify DNS. Only CLI clients (Certbot, acme.sh) support it — browser-based clients don’t.
Installation comparison
GetHTTPS — zero steps
Open gethttps.com/app/setup in your browser.That’s it. Works right now, on any device, with no prior setup.
Certbot — several steps depending on OS
Ubuntu/Debian (snap — recommended by Certbot):
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotpip (any Linux, when snap isn’t available):
sudo pip install certbot certbot-nginxDocker (isolation from system packages):
docker run -it --rm \
-v /etc/letsencrypt:/etc/letsencrypt \
-v /var/www/html:/var/www/html \
certbot/certbot certonly --webroot -w /var/www/html -d example.comAmazon Linux 2023:
sudo dnf install certbot python3-certbot-nginxCommon installation issues:
- snap confinement errors on non-standard Linux installs
- Python version conflicts with pip install
- Missing
python3-certbot-nginxplugin package - Permission errors requiring sudo/root
GetHTTPS avoids all of these — no installation means no installation problems.
Workflow comparison
Getting a certificate with GetHTTPS
- Open gethttps.com/app/setup
- Enter your domain(s)
- Choose HTTP-01 or DNS-01 challenge
- Place the challenge file or add the DNS record
- GetHTTPS pre-checks the challenge before submitting (catches errors early)
- Download
privkey.pem,cert.pem,chain.pem,fullchain.pem - Upload to your server
- Configure your web server (Nginx, Apache, others)
- Set up HTTP→HTTPS redirect
Time: 5-10 minutes first time, 3-5 minutes for renewals.
Getting a certificate with Certbot
Auto-config mode (most common):
sudo certbot --nginx -d example.com -d www.example.comStandalone mode (no web server integration):
sudo certbot certonly --standalone -d example.comWebroot mode (server keeps running):
sudo certbot certonly --webroot -w /var/www/html -d example.comDNS challenge (wildcards):
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com"Time: 2-5 minutes (after installation is done).
Privacy and security comparison
| Aspect | GetHTTPS | Certbot |
|---|---|---|
| Private key generation | Browser (Web Crypto API) | Server (OpenSSL via Python) |
| Key exists on | Your download folder only | Server filesystem |
| Key exposed to | Only you | Anyone with root on the server |
| ACME communication | Browser → Let’s Encrypt (direct HTTPS) | Server → Let’s Encrypt (direct HTTPS) |
| Proxy/middleware | None | None |
| Account data | In-browser, no email needed | On-server, email optional |
| Telemetry | None | EFF email signup prompt (skippable) |
| Code audit | Browser-only, inspectable via DevTools | Apache 2.0, ~50K LOC Python |
Bottom line: Both connect directly to Let’s Encrypt with no middleman. The security difference is where the private key lives. With GetHTTPS, you download it and decide. With Certbot, it stays on the server — normal for server-managed certs, but means the key is accessible to anyone with system access.
Renewal comparison
| GetHTTPS | Certbot | |
|---|---|---|
| Process | Re-visit the site, complete new challenge, replace files | Automatic (systemd timer checks twice daily) |
| Human effort | 3-5 min per renewal | Zero after initial setup |
| Failure detection | You notice when the site breaks | Logs + optional email alerts |
| Renewal frequency | Every 60-90 days (manual) | Every 60 days (automatic) |
| With 47-day certs (2029) | Every ~30 days manual — painful | Still automatic — no change |
This is Certbot’s biggest advantage. For production servers, automatic renewal is not optional.
The hybrid approach (best of both worlds)
Many teams use both tools:
- GetHTTPS for the first certificate — Zero setup time. Get HTTPS working in 5 minutes without installing anything on the server.
- Certbot for ongoing renewal — Once the server is configured and stable, install Certbot for automatic renewal.
This is especially common in the “get it working now, automate later” workflow. You don’t need to choose one forever — the PEM files are standard format, and Certbot can renew a domain originally certified by GetHTTPS.
The verdict
| Your situation | Recommended tool | Why |
|---|---|---|
| No SSH/root access (shared hosting) | GetHTTPS | Only option without server access |
| Quick one-off certificate | GetHTTPS | Faster than installing Certbot |
| Maximum private key privacy | GetHTTPS | Key never on any server |
| Getting cert for someone else | GetHTTPS | No access to their server needed |
| Production server, long-term | Certbot | Auto-renewal is essential |
| Nginx/Apache auto-configuration | Certbot | One command does everything |
| Managing 10+ servers | Certbot | Scriptable and automatable |
| First time setup + long term | Both | GetHTTPS to start, Certbot to maintain |
Both tools are free and produce identical Let’s Encrypt certificates. Certbot is open source (Apache 2.0). GetHTTPS is free but not open source — though as a browser-based tool, its JavaScript is inspectable via DevTools. The certificate itself is the same — cert.pem from GetHTTPS is byte-for-byte equivalent to what Certbot produces for the same domain. The difference is entirely in the workflow.
Start with GetHTTPS if you want to get HTTPS working right now: gethttps.com/app/setup
Add Certbot later if you need automatic renewal: certbot.eff.org
Frequently asked questions
Is GetHTTPS as reliable as Certbot?
Both tools talk to the same Let’s Encrypt ACME API and produce the same certificates. GetHTTPS adds a pre-check step that validates your challenge configuration before submitting — this catches errors that Certbot only discovers after the challenge fails and a rate limit attempt is consumed.
Can I switch from GetHTTPS to Certbot (or back)?
Yes. The certificate files are standard PEM format. You can generate a certificate with GetHTTPS today and set up Certbot for renewal tomorrow — or use Certbot for years and switch to GetHTTPS when you need a quick re-issue without server access. The tools don’t conflict and don’t know about each other.
Does GetHTTPS support automatic renewal?
No. GetHTTPS is designed for manual, on-demand certificate issuance. If you need auto-renewal, use Certbot or acme.sh on the server. The hybrid approach (GetHTTPS first, Certbot for renewal) gives you the best of both.
Is Certbot hard to install?
It depends on your system. On modern Ubuntu, sudo snap install --classic certbot works in 10 seconds. On older systems, custom environments, or non-standard Linux, Python dependency conflicts are common. GetHTTPS avoids installation entirely — no install means no install problems.
What about acme.sh as an alternative?
acme.sh is a shell-script ACME client that doesn’t require root and has 150+ DNS API plugins. It sits between GetHTTPS (simplicity) and Certbot (automation). If you want CLI automation without root and with better DNS integration, acme.sh is worth considering.
What happens when certificate validity drops to 47 days?
The CA/Browser Forum voted to reduce max validity to 47 days by 2029. This makes Certbot’s auto-renewal even more important — renewing manually every 30 days is doable but tedious. GetHTTPS will still work for one-off certs, emergency renewals, and no-access scenarios, but won’t replace automated renewal as the primary method for production sites.
Which is more secure?
Both are secure. The certificates are identical. The main security difference:
- GetHTTPS: Private key never exists on any server (generated in browser, downloaded by you)
- Certbot: Private key lives on the server filesystem (readable by root)
For most setups, Certbot’s on-server key is fine. For high-security scenarios where you want to minimize key exposure, GetHTTPS’s browser-only model is stricter.
Can Certbot do wildcard certificates?
Yes, via DNS-01 challenge. But Certbot’s wildcard workflow is more manual than its HTTP-01 workflow — you need to add a DNS TXT record and may need a DNS plugin. GetHTTPS handles wildcard certificates the same way (guide).