The following guide can be used to install Certbot and generate certificates using the ACME DNS Client validator.
I am using the Certbot Snap as the OS packages are usually out of date.
If using a Debian system, install the package for snapd first:
apt -y install snapd
Install/update the Core snap:
snap install core
sudo snap refresh core
Install the Certbot snap and create symlink to ensure it is in $PATH:
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
Certbot should now be ready to use.
Although not required, I deploy a configuration file for Certbot. The configuration file will set the default contact email address for registering the account and the key type.
To add the configuration file (change the email address variable to the one correct for your environment):
EMAIL="ssl@gbe0.com"
mkdir /etc/letsencrypt
cat << EOF > /etc/letsencrypt/cli.ini
# Use ECC for the private keys
key-type = ecdsa
elliptic-curve = secp384r1
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Set default contact email address
email = $EMAIL
# Default agree to TOS and don't share contact email with EFF
no-eff-email = true
agree-tos = true
EOF
The ACME DNS Client can provide you with a set of CAA records that can be configured to restrict SSL generation for the domain/domains to only a specific account.
To use this feature, register a certbot account (once only) and the ACME DNS Client will automatically get the account details:
certbot register
The ACME DNS Client binary can be downloaded from the GitHub releases page or built yourself.
To use the current GitHub release (0.3 currently):
TEMPDIR="$(mktemp -d)"
cd "$TEMPDIR"
wget https://github.com/acme-dns/acme-dns-client/releases/download/v0.3/acme-dns-client_0.3_linux_amd64.tar.gz
tar zxvf acme-dns-client_0.3_linux_amd64.tar.gz
mv acme-dns-client /usr/local/bin/acme-dns-client
cd -
rm -rf "$TEMPDIR"
For this example I am generating a wild card certificate for example.gbe0.com. Set the domain variable to allow easy copy/paste:
DOMAIN="example.gbe0.com"
The ACME DNS Client needs to be registered to the ACME DNS Server. If you are not running your own server, you may use a public instance such as the one I am using or the default https://auth.acme-dns.io. There are security risks if doing this on a third party instance.
Assuming you are using your own ACME DNS Server, set a variable with the server address:
SERVER="https://acme.deepid.com"
Register the account on the ACME DNS Server:
acme-dns-client register \
-d "$DOMAIN" \
-s "$SERVER"
NOTE: If using the default server, you will need to provide the --dangerous argument to the registration command.
The account registration process will provide you with the CNAME and CAA records to set.
The SSL certificate/key can now be generated:
certbot certonly \
--manual \
--preferred-challenges dns \
--manual-auth-hook "acme-dns-client" \
-d "$DOMAIN" \
-d "*.$DOMAIN"
The certificate should be issued automatically with the certificate and key located in /etc/letsencrypt/live/${DOMAIN}.
To set a deploy/renew hook to restart a service on each certificate renewal, specify --deploy-hook and/or --post-hook. As an example:
certbot certonly \
--manual \
--preferred-challenges dns \
--manual-auth-hook "acme-dns-client" \
--deploy-hook "systemctl restart nginx" \
--post-hook "systemctl restart nginx" \
-d "$DOMAIN" \
-d "*.$DOMAIN"