It`s simple when you know how ! CentOS,Linux,Operating Systems,Tech,Tutorials How To Get Certificates From Let’s Encrypt with Certbot and DNS challenge

How To Get Certificates From Let’s Encrypt with Certbot and DNS challenge

Let’s Encrypt is a service offering free SSL certificates through an automated API. The most popular Let’s Encrypt client is EFF’s Certbot. And we gan get certificate for all propose mostly for testing but it can be also for production environment. if you have web server on the server you can just execute the Certbot for every scenario and you will get the cert automatically :

https://certbot.eff.org/instructions?

But to get Certificate without web server you will need to valid your domain with DNS Text keys , first install Certbot :

yum install certbot

Now you will be able to execute requests with Certbot, for example to get certificate to webserver :

certbot certonly --standalone  --preferred-challenges dns --debug-challenges -d \sub_domain.your_domain_name -d your_domain_name

So to get certificate to www.example.com :

certbot certonly --standalone  --preferred-challenges dns --debug-challenges -d \www.example.com -d example.com

You will need to create DNS TXT record with to keys that will be provided during the wizrad

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.example.

with the following value:

EjgxncutdNPNw_A71Oqc3dCYrgBCqXjmTwBLIC_iAb8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.example.com

with the following value:

vPhEwjMg3C4j-N-UF8DyFzR5hVV2OONgvpNYzILJAbU

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.g-cloud.co.il.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

After setting the DNS records you will get the certificate to the folder :

...
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain/privkey.pem
...

Next you will need to give access permission to that folder :

chmod +x /etc/letsencrypt/live

In order to update the certificate you can run :

certbot renew --dry-run

It should works but some time you will need to install the acme-dns-certbot

Good Luck

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post