2016-11-05-dns-01
Using dns-01
with Letsencrypt for getting certificates for VPN / intranet sites
It's a simple two-step process of building certbot locally and doing the request.
Installing and building certbot:
$ git clone https://github.com/certbot/certbot
$ cd certbot
$ cd acme
$ python setup.py install --user
$ cd ..
$ python setup.py install --user
Doing the request:
$ ~/.local/bin/certbot certonly --manual -d $DOMAIN --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for $DOMAIN
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Please deploy a DNS TXT record under the name
_acme-challenge.$DOMAIN with the following value:
<long string of text here>
Once this is deployed,
Press ENTER to continue
Now you have to add the TXT entry in your dns. Wait until it is deployed and press enter and you should be done:
Waiting for verification...
Resetting dropped connection: acme-v01.api.letsencrypt.org
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/$DOMAIN/fullchain.pem.
Your cert will expire on 2017-02-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Hopefully the dns-01 code should be released on my unstable machines before I need to renew the certificates..