I tend to ensure the application or service endpoint that exposed to internet is secure in connection. I have been using Let’s Encrypt to generate the certificate for past year, however the process is tedious. A simple web application needs to be developed with generated token in order to accept the challenge (domain verification) by Let’s Encrypt server. Recently I only discovered a new method, which is using DNS challenge. This drastically simplifies the domain verification process to get or to renew the certificate.
Step 1 — Install Let’s Encrypt Certbot
Let’s Encrypt provides CLI namely
Certbot to generate the certificate
sudo apt install certbot
Step 2 — Generate new certificate using Certbot
The command to generate the cert is relatively simple. You can do for single domain, for multiple domains then just needs to append
-d DOMAIN. In this case I used
*.DOMAIN so that the certificate can be used for subdomain as well. The wizard will ask for a few simple information.
sudo certbot certonly --manual --preferred-challenges dns -d "*.DOMAIN"
Step3 — Setting DNX TXT ACME Challenge in Namecheap
Once Y is entered in the previous step,
Certbot will revert with ACME challenge token to be configured in DNS provider to allow verification. Copy the token and insert as TXT record in DNS console of Namecheap.
Please set TTL to 1 minute to allow Top-level DNS servers to pick up this new subdomain —
_acme-challenge.DOMAIN. You can verify this DNS TXT record using
nslookup before proceed with verification.
nslookup -type=TXT _acme-challenge.DOMAIN
Step 4 — Verify the domain challenge
Press Enter and
Certbot will continue with the verification process.
Step 5 — Retrieve the certificate
You will hit permission error when trying to retrieve the file. This is due to folder permission of
/etc/letsencrypt/liveis set to root. Therefore we can set permission to allow other users to read via
sudo chmod +x /etc/letsencrypt/live
After that you can extract the
privkey.pem for ingress / route / web server configuration.