How to issue Let's Encrypt certificates using Certbot with DNS validation

Table of Contents

Case #

You need to issue a SAN (Subject Alternate Name) or Wildcard TLS certificate from Let's Encrypt. You have a Windows or a Linux machine without any Web server installed. You only have one or more registered DNS domains for which you have access to their authoritative DNS server zones. All you need to do is issue Let's Encrypt certificates using Certbot with DNS validation.

Solution #

Let's Encrypt works with the Certbot tool (provided by EFF - Electronic Frontier Foundation) to anyone who wishes to issue a free Let's Encrypt certificate. The Certbot tool offers very detailed documentation. Certbox is a CLI tool which comes with a variety of command parameters, to match all possible configurations. Unless you have a Web server installed (Apache, NGinx, IIS, etc) you cannot use the relevant command parameters to utilize your existing online Web server to validate your DNS domains. In this case, if you simply own a few DNS domains and have access to their authoritative DNS server zones, you will have to use a Certbox DNS plugin. A DNS plugin allows you to validate ownership of your DNS domains without an active/live Web server. Alternatively you can use the Certbot manual certificate issuance method by using the --preferred-challenges parameter with value "dns". Also bear in mind that autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook). Unless you provide the --mannual-auth-hook parameter, you will have to repeat the same certbot manual certificate issuance before the new certificate's expiry date.

Carry out the following step-by-step procedure to issue your certificate using Certbot using DNS validation:

  1. Download and install Certbot CLI tool by following instructions depending on your operating system: https://certbot.eff.org/.
  2. Install any additional certbot plugins which may be required depending on your usage scenario, e.g. the Certbot DNS plugins.
  3. Run the suitable certbot commands based on your scenario. Consult the certbot certificate issuance guide for details and options: https://certbot.eff.org/docs/using.html.
  4. After your Let's Encrypt certificate files are generated (.pem, .cer and .key files), they will be available in a Let's Encrypt folder. In the case of Linux this folder is usually /etc/letsencrypt/live. In order to access the certificate files, you will have to run the following command:

sudo chmod 755 /etc/letsencrypt/live/[your certificates folder goes here].

You may need to also run a few more commands to resolve any permissoins-related errors. Consult the following article for relevant options: https://stackoverflow.com/questions/48078083/lets-encrypt-ssl-couldnt-start-by-error-eacces-permission-denied-open-et

5. At this point you will probably need to convert your Let's Encrypt certificate from .pem/.cer to .pfx format which will include the private key as well. Run the following command (you will need to install openssl if you dont already have it installed):
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Consult the following Let's Encrypt community article for more details:

https://community.letsencrypt.org/t/how-to-get-from-pem-to-pfx/59961/3

Certbot, DNS, EFF, Let's Encrypt, SSL, TLS
What are your Feelings

Powered by BetterDocs