Generate Let’s Encrypt Certificate with DNS Challenge and Namecheap

Ong Khai Wei
3 min readJul 10, 2021

I tend to ensure the application or service endpoint that exposed to internet is secure in connection. I have been using Let’s Encrypt to generate the certificate for past year, however the process is tedious. A simple web application needs to be developed with generated token in order to accept the challenge (domain verification) by Let’s Encrypt server. Recently I only discovered a new method, which is using DNS challenge. This drastically simplifies the domain verification process to get or to renew the certificate.

Step 1 — Install Let’s Encrypt Certbot

Let’s Encrypt provides CLI namely Certbot to generate the certificate

sudo apt install certbot

Step 2 — Generate new certificate using Certbot

The command to generate the cert is relatively simple. You can do for single domain, for multiple domains then just needs to append -d DOMAIN. In this case I used *.DOMAIN so that the certificate can be used for subdomain as well. The wizard will ask for a few simple information.

sudo certbot certonly --manual --preferred-challenges dns -d "*.DOMAIN"

Step3 — Setting DNX TXT ACME Challenge in Namecheap

Once Y is entered in the previous step, Certbot will revert with ACME challenge token to be configured in DNS provider to allow verification. Copy the token and insert as TXT record in DNS console of Namecheap.

Please set TTL to 1 minute to allow Top-level DNS servers to pick up this new subdomain — _acme-challenge.DOMAIN. You can verify this DNS TXT record using nslookup before proceed with verification.

nslookup -type=TXT _acme-challenge.DOMAIN

Step 4 — Verify the domain challenge

Press Enter and Certbot will continue with the verification process.

Step 5 — Retrieve the certificate

You will hit permission error when trying to retrieve the file. This is due to folder permission of /etc/letsencrypt/liveis set to root. Therefore we can set permission to allow other users to read via sudo chmod +x /etc/letsencrypt/live

After that you can extract the fullchain.pem and privkey.pem for ingress / route / web server configuration.