2016-11-05-dns-01


Using dns-01 with Letsencrypt for getting certificates for VPN / intranet sites

It's a simple two-step process of building certbot locally and doing the request.

Installing and building certbot:

$ git clone https://github.com/certbot/certbot
$ cd certbot
$ cd acme
$ python setup.py install --user
$ cd ..
$ python setup.py install --user

Doing the request:

$ ~/.local/bin/certbot certonly --manual -d $DOMAIN --preferred-challenges dns-01
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for $DOMAIN

    -------------------------------------------------------------------------------
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.

    Are you OK with your IP being logged?
    -------------------------------------------------------------------------------
    (Y)es/(N)o: y
    Please deploy a DNS TXT record under the name
    _acme-challenge.$DOMAIN with the following value:

    <long string of text here>

    Once this is deployed,
    Press ENTER to continue

Now you have to add the TXT entry in your dns. Wait until it is deployed and press enter and you should be done:

    Waiting for verification...
    Resetting dropped connection: acme-v01.api.letsencrypt.org
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
         /etc/letsencrypt/live/$DOMAIN/fullchain.pem.
         Your cert will expire on 2017-02-03. To obtain a new or tweaked
         version of this certificate in the future, simply run certbot
         again. To non-interactively renew *all* of your certificates, run
         "certbot renew"
     - If you like Certbot, please consider supporting our work by:

         Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
         Donating to EFF:                    https://eff.org/donate-le

Hopefully the dns-01 code should be released on my unstable machines before I need to renew the certificates..