Modern computing requires secure communication between devices. Secure communication is achieved by using encryption with asymmetric key algorithms. An asymmetric algorithm uses a pair of keys, one of which can be used to decrypt the information encrypted with the other.
One of the keys is being kept private and the other is public. When a secure communication is initiated we must ensure that we are talking to the right entity identified by public key. This part is handled by the PKI (public key infrastructure).
A trusted third-party attests that the presented public key by the server belongs to a certain entity. These trusted third-parties are called certificate authorities (CA). Currently there are many trusted CA and you can inspect them in your OS if you are curious.
In recent years Let's Encrypt, a nonprofit organization which offers certificates for free, gained more and more popularity.
Using Certbot created by EFF you can request a Let's Encrypt certificate.
Install certbot
We'll use a machine with Ubuntu 24.04 with snapd
, for other operating systems
please check certbot install instructions.
sudo apt update
sudo apt install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
Install certbot-dns-luadns plugin
There are few providers which are shipped by default, unfortunately the LuaDNS
plugin is not yet there so you must install the certbot-dns-luadns
plugin.
sudo snap install certbot-dns-luadns
Get your API key
Create a new API key accessing API keys page. You can restrict it to your domain if you are sure that it will not be used with other domains.
Create the INI file
The INI file will be used to store your API authentication credentials (email and API key).
root@certbot:~# cat ~/.luadns.ini
dns_luadns_email = user@example.com
dns_luadns_token = 9ea8a5f5eba25560f09e9dea13379e64
Credentials are required by certbot to add a TXT record to your DNS zone to prove that you own the domain.
This file should be readable only by root user:
sudo chmod 0600 /root/.luadns.ini
sudo chown root.root /root/.luadns.ini
Issuing the certificate
We'll issue a wildcard certificate for mycompany.com
, we assume that this
domain is correctly delegated and configured on LuaDNS.
The certbot will make some DNS modifications via API according to Let's
Encrypt instructions which should be visible on the internet before the
certificate is issued. Usually this is a _acme-challenge.mycompany.com
TXT
record containing a long text.
root@certbot:~# certbot certonly --dns-luadns --dns-luadns-credentials ~/.luadns.ini -d '*.mycompany.com'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.mycompany.com
Waiting 30 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mycompany.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mycompany.com/privkey.pem
This certificate expires on 2024-12-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You can pass also the --dry-run
parameter to certbot command to simulate
the certificate issue without issuing, this is useful to debug problems.
Common problems
When you get the following message:
Unable to determine zone identifier for mycompany.com using zone names: ['mycompany.com', 'com'].
This means that certbot could not get access to your zone with the API key you have provided.
Check that zone exists, the API key is valid and has access to this zone.
Refrences: