How To Get Certificates From Let’s Encrypt with Certbot and DNS challenge
Let’s Encrypt is a service offering free SSL certificates through an automated API. The most popular Let’s Encrypt client is EFF’s Certbot. And we gan get certificate for all propose mostly for testing but it can be also for production environment. if you have web server on the server you can just execute the Certbot for every scenario and you will get the cert automatically :
https://certbot.eff.org/instructions?
But to get Certificate without web server you will need to valid your domain with DNS Text keys , first install Certbot :
yum install certbotNow you will be able to execute requests with Certbot, for example to get certificate to webserver :
certbot certonly --standalone --preferred-challenges dns --debug-challenges -d \sub_domain.your_domain_name -d your_domain_name
So to get certificate to www.example.com :
certbot certonly --standalone --preferred-challenges dns --debug-challenges -d \www.example.com -d example.com
You will need to create DNS TXT record with to keys that will be provided during the wizrad
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.example. with the following value: EjgxncutdNPNw_A71Oqc3dCYrgBCqXjmTwBLIC_iAb8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.example.com with the following value: vPhEwjMg3C4j-N-UF8DyFzR5hVV2OONgvpNYzILJAbU (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet. Note that you might be asked to create multiple distinct TXT records with the same name. This is permitted by DNS standards.) Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.g-cloud.co.il. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added.
After setting the DNS records you will get the certificate to the folder :
... Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your-domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your-domain/privkey.pem ...
Next you will need to give access permission to that folder :
chmod +x /etc/letsencrypt/live
In order to update the certificate you can run :
certbot renew --dry-run
It should works but some time you will need to install the acme-dns-certbot
Good Luck