Letsencrypt offer free SSL certs but the one caveat is they have a short 90 day expiry. There is the option to setup automatic renewal using file based verification if the web server is accessible publicly, however if you need certs for internal web servers then you must use DNS based verification. The manual steps involved are trivial.


You will need the certbot program installed on your machine to do this. Take a look at the certbot site to get the install method for your OS.

All operation run as root. The path on your server where the certs are written are:

/etc/letsencrypt/live/<host name>/

If apache is on the same host then it just a case of editing the virtual host config with the path of the applicable cert. Otherwise you can of course copy the certs to the host which requires them.


The command used to use dns verification is the following:

# certbot certonly --manual -d --preferred-challenge dns

The command can be run with multiple <-d host name> if alternative names are required for the cert. Note the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: y

Note at this stage you are provided with the DNS challenge which you will need to enter into your DNS hosting site. Note a TXT type record is required.

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges

– Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-04-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:
Donating to EFF:

Thats all there is to it.

Note the advice to run a non-interactive renew of all certs using the command:

# certbot renew

Found on the letsencrypt community site:

DNS Based Challenge Verification SSL Certificates
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.