Obtain Let's Encrypt SSL Certificate Using Manual DNS Verification

August 2, 2017

Let’s Encrypt is a free, automated, and open Certificate Authority. The best way to setup is through Certbot, which require shell/SSH access.

Besides being free, the main advantage of using Let’s Encrypt SSL would be automation (auto renewal through shell script).

Using certbot

Install Certbot on Ubuntu

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Obtain SSL Certificate

Certbot has Apache and nginx server plugins, which automates both obtaining and installing certs. This article shall focus on getting and renewing certs without particular integration.

DNS Verification

To obtain a cert using DNS verification. The following command will ask for a mandatory email address. We use the manual option on a machine other than your webserver (e.g. not shell access on webserver).

sudo certbot certonly --manual --preferred-challenges dns

Enter the domain name (I guess multiple domain names are supported)

Please enter in your domain name(s) (comma and/or space separated) 

Do follow the instruction to complete DNS (TXT entry at _acme-challenge.www.mydomain.com) verification.

I created DNS TXT entry but certbot fail to validate it (I guess DNS not propagated yet), where it quit immediately without an option to retry. When I rerun sudo certbot certonly --manual --preferred-challenges dns again, the secret code has changed again.

Before proceeding with cerbot DNS verification, run a check to verify if the DNS TXT entry has propagated within reach of your machine.

dig -t txt _acme-challenge.www.mydomain.com

Success

Upon success, take note of the location of the SSL (/etc/letsencrypt/live/www.mydomain.com/fullchain.pem) and the expiry date (90 days)

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.mydomain.com/fullchain.pem. Your cert
   will expire on 2017-10-31. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

You should have the following files in /etc/letsencrypt/live/www.mydomain.com/ directory.

sudo ls /etc/letsencrypt/live/www.mydomain.com
# output
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Renew SSL Certificate

Run the following command to test if automatic renewal of cert is running properly

sudo certbot renew --dry-run

Sadly I bump into renewal error: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.. With manual plugins (instead of Apache or nginx plugins), certbot couldn’t automatically renew because it couldn’t automatically verify through DNS, where a script need to be provided through –manual-auth-hook.

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/www.mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

References:
Certbot User Guide
Deploy Let’s Encrypt SSL to Google App Engine using scripts only

This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.