Getting SSL certificates via DNS verification
SSL/TLS certificates are essential for securing websites with HTTPS. Let's Encrypt provides free certificates, and one of the most reliable ways to obtain them is through DNS verification. This method is particularly useful when you can't use HTTP validation or when you need wildcard certificates.
Why DNS Verification?
DNS verification works by proving you control the domain through DNS records rather than requiring access to a web server. This is ideal for:
- Internal servers not accessible from the internet
- Wildcard certificates (*.example.com)
- Servers behind firewalls or NAT
- Obtaining certificates before the web server is set up
Prerequisites
Before starting, ensure you have:
- Root or sudo access to a Linux server
- Access to your domain's DNS management interface
- The domain you want to secure already pointing to your server (optional for DNS verification)
Installation
First, install the necessary packages. We'll use certbot with the DNS standalone plugin:
apt install python3-certbot-dns-standalone
Note: On some distributions, the package might be named differently. Check your package manager or use apt search certbot to find available plugins.
Obtaining the Certificate
Run certbot with the DNS challenge method:
certbot -d domain.com --preferred-challenges dns --manual certonly
Replace domain.com with your actual domain. For wildcard certificates, use -d *.domain.com -d domain.com to cover both the wildcard and the root domain.
The Verification Process
Certbot will pause and display instructions asking you to create a TXT record in your DNS. The output will look something like:
Please deploy a DNS TXT record under the name_acme-challenge.domain.com with the following value:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBefore continuing, verify the record is deployed.
Important: Do not press Enter until the DNS record has propagated. DNS propagation can take anywhere from a few seconds to several minutes depending on your DNS provider.
Creating the DNS Record
- Log in to your DNS provider's management interface
- Navigate to the DNS records for your domain
- Create a new TXT record with:
- Name:
_acme-challenge - Type:
TXT - Value: The string provided by certbot
- TTL: 300 (or the lowest value your provider allows)
- Name:
- Save the record
Verifying DNS Propagation
Before continuing with certbot, verify the DNS record has propagated:
dig _acme-challenge.domain.com TXT +short
Or use an online tool like whatsmydns.net to check from multiple locations worldwide.
Once you see the TXT record value matching what certbot provided, press Enter in the certbot terminal to continue.
Certificate Location
If successful, certbot will save your certificates to:
/etc/letsencrypt/live/domain.com/fullchain.pem/etc/letsencrypt/live/domain.com/privkey.pem
These are symlinks to the actual certificate files, which allows certbot to manage renewals without breaking your configuration.
Common Pitfalls
DNS propagation delays: Always verify the TXT record is visible before continuing. Rushing this step will cause the validation to fail.
Multiple TXT records: Some DNS providers show the full record name including the domain. Make sure you're creating _acme-challenge.domain.com, not _acme-challenge.domain.com.domain.com.
Rate limits: Let's Encrypt has rate limits. If you fail validation multiple times, you may need to wait before trying again. Test with the staging environment first using --staging flag.
Firewall rules: While DNS verification doesn't require open ports on your server, certbot still needs outbound internet access to communicate with Let's Encrypt's servers.
Renewal
Certificates obtained through manual DNS verification won't auto-renew by default because they require manual DNS changes. For automated renewals, consider using DNS provider-specific plugins that can automatically update DNS records:
# Example for Cloudflareapt install python3-certbot-dns-cloudflare
Each DNS provider plugin has its own configuration requirements, typically involving API credentials stored in a secure configuration file.
Alternative: Automated DNS Plugins
If your DNS provider is supported, using their specific plugin enables automatic renewals. Popular plugins include:
certbot-dns-cloudflare- For Cloudflarecertbot-dns-route53- For AWS Route 53certbot-dns-digitalocean- For DigitalOceancertbot-dns-google- For Google Cloud DNS