Let’s Encrypt Certificates Setup with DNS Validation Using acme-dns-certbot

Introduction

Let’s Encrypt certificates are commonly issued using HTTP validation, which is convenient for single-server installations. However, HTTP validation isn’t suitable for load-balanced websites or wildcard certificates.

DNS validation verifies certificate requests using DNS records instead of serving content over HTTP. It’s ideal for issuing certificates for clustered web servers behind load balancers or systems not directly accessible over the internet. Wildcard certificates are also supported.

The acme-dns-certbot tool links Certbot to a third-party DNS server, automatically setting validation records via an API when requesting certificates. This eliminates the need to integrate Certbot with DNS provider accounts or grant full DNS configuration access, enhancing security.

Delegated DNS zones redirect certificate verification record lookups to the third-party DNS service, streamlining certificate requests without manual validation.

Acme-dns-certbot is advantageous for issuing certificates to servers behind load balancers or inaccessible via HTTP. It’s also useful for internal systems or staging environments.

This tutorial guides you in using the acme-dns-certbot hook for Certbot to issue Let’s Encrypt certificates using DNS validation.

Prerequisites:

• Ubuntu 22.04 server with a sudo non-root user.
• A domain name with DNS record management capabilities.

Step-by-step Procedure

Step 1: Installing Certbot Add the Certbot repository:

sudo apt-add-repository ppa:certbot/certbot

Install Certbot:

sudo apt install certbot

Verify the installation:

certbot --version

Step 2: Installing acme-dns-certbot Download the acme-dns-certbot script:

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Make the script executable:

chmod +x acme-dns-auth.py

Edit the script to use Python 3:

nano acme-dns-auth.py

Adjust the first line:

#!/usr/bin/env python3

Move the script to the Certbot directory:

sudo mv acme-dns-auth.py /etc/letsencrypt/

Step 3: Setting Up acme-dns-certbot Run Certbot to issue a certificate using DNS validation:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.your-domain -d your-domain

Follow prompts to add required DNS records. Once configured, press ENTER to validate the certificate request.

Step 4: Using acme-dns-certbot Issue or renew certificates as needed:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.your-domain

Automatic renewals:

sudo certbot renew

Test renewal with dry run:

sudo certbot renew --dry-run

Conclusion This article explained setting up Certbot with acme-dns-certbot for DNS validation, enabling wildcard certificates and managing multiple web servers. Stay updated with the acme-dns-certbot repository for script updates. Explore acme-dns documentation for self-hosting options or delve into ACME DNS validation RFC for technical insights.

References

1. Let’s Encrypt documentation: https://letsencrypt.org/docs/
2. Certbot documentation: https://certbot.eff.org/docs/
3. acme-dns-certbot GitHub repository: https://github.com/joohoi/acme-dns-certbot-joohoi
4. DigitalOcean DNS management guide: https://www.digitalocean.com/docs/networking/dns/
5. RFC 8555 (ACME protocol): https://datatracker.ietf.org/doc/html/rfc8555