Obtaining a Let's Encrypt Certificate with DNS Verification

Obtaining a Let's Encrypt Certificate with DNS Verification
Photo by JJ Ying / Unsplash

Let's Encrypt is a free and widely used Certificate Authority (CA) that allows you to obtain SSL/TLS certificates for your websites.

In this tutorial, we will walk you through the process of obtaining a Let's Encrypt certificate using DNS verification. DNS verification is a method that verifies your domain ownership by adding a DNS record, making it suitable for situations where HTTP verification is not possible.


  1. A domain name that you want to secure with an SSL/TLS certificate.
  2. Access to your domain's DNS settings.

Step 1: Install Certbot

Certbot is a popular tool for managing Let's Encrypt certificates. You can install Certbot on your server. The following instructions are for a typical Ubuntu server. For other operating systems, please refer to the Certbot documentation.

# Update your package list
sudo apt update

# Install Certbot and the DNS plugin for your DNS provider (e.g., for Cloudflare)
sudo apt install certbot python3-certbot-dns-cloudflare

Step 2: Configure the DNS Plugin

Before using Certbot with DNS verification, you need to configure the DNS plugin with your credentials. In this example, we will use Cloudflare as the DNS provider. Replace it with the correct plugin for your provider.

  1. Log in to your Cloudflare account.
  2. Create an API Token with the required permissions for Certbot.
    • Go to "My Profile" > "API Tokens."
    • Create a new token with "Zone" > "DNS" > "Edit" permissions.
  3. Copy the API Token you created.

Now, configure the DNS plugin using the following command:

sudo nano /etc/letsencrypt/cloudflare.ini

Add the following content, replacing cloudflare_email with your Cloudflare email and cloudflare_api_key with the API Token you generated:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your_api_token

Save and exit the file.

Step 3: Obtain the Let's Encrypt Certificate

Now that you have Certbot installed and the DNS plugin configured, you can request a Let's Encrypt certificate for your domain.

Use the following command, replacing your_domain.com with your actual domain:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d your_domain.com

Certbot will use the DNS plugin to create a DNS TXT record for domain ownership verification. Once verified, the certificate files will be stored in /etc/letsencrypt/live/your_domain.com/.

Step 4: Automatically Renew the Certificate

Let's Encrypt certificates expire after a certain period (usually 90 days). To ensure your website remains secure, set up automatic renewal for your certificate.

Create a cron job to run the renewal command twice a day. Open the crontab configuration:

sudo crontab -e

Add the following line to the crontab file to renew the certificates automatically:

0 */12 * * * certbot renew

Save and exit the file. This configuration will attempt to renew the certificates twice a day.

Step 5: Verify Certificate Renewal

To verify that automatic renewal is working correctly, you can check the certificate's expiration date:

sudo certbot certificates

If the certificate is within 30 days of expiration, Certbot will automatically attempt to renew it.

Congratulations! You've successfully obtained a Let's Encrypt SSL/TLS certificate using DNS verification and configured automatic renewal. Your website is now more secure with HTTPS.