Obtaining an SSL Certificate with DNS Verification

What Will You Learn in This Guide?

In this guide, you will learn how to get the Let's Encrypt certificate with DNS verification.
You will also issue a wildcard certificate and test automatic renewal.

Technical Summary

Main Technical Topic: Obtaining SSL/TLS certificate with DNS verification
Solved Problem: Issuing certificates on systems without HTTP access
Scope: Certbot, acme-dns-certbot, CNAME delegation, renewal

DNS validation works behind load balancers and on internal network systems.

What is DNS Verification?

DNS validation performs verification through the DNS record.
The server does not need to be open to the internet.
This method is mandatory for wildcard certificates.

This method is ideal when:

Servers behind the load balancer
Internal systems closed to the Internet
*.alanadiniz.com wildcard requirement

What is acme-dns-certbot?

acme-dns-certbot adds DNS validation hook to Certbot.
Manages verification records with third-party DNS service.

This approach provides:

Does not give full authority to your DNS provider
Does not compromise DNS configuration
Manual verification is reduced after initial installation

Prerequisites

To get started you need:

Ubuntu 18.04 server (example: tr1-node01)
sudo authorized non-root user
Domain name to which you can add a DNS record (example: ornekalan.com)

Certbot Installation

1.1 Add Certbot repository

sudo apt-add-repository ppa:certbot/certbot

This command adds the current Certbot repository.

1.2 Install Certbot

sudo apt install certbot

This command installs the Certbot package.

1.3 Verify installation

certbot --version

This command shows the installed Certbot version.

acme-dns-certbot Installation

Download 2.1 Script

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

This command downloads the DNS verification script.

2.2 Grant execution permission

chmod +x acme-dns-auth.py

This command makes the script executable.

2.3 Make Python 3 mandatory

nano acme-dns-auth.py

This command opens the script for editing.

1. Update the first line like this:

#!/usr/bin/env python3

This line requires working with Python 3.

2.4 Move Script to Let's Encrypt directory

sudo mv acme-dns-auth.py /etc/letsencrypt/

This command moves the script to the directory that Certbot will access.

Getting the Initial Certificate and Adding the DNS Record

Certonly is used in this step.

This option retrieves the certificate but does not automatically install it on the server.

3.1 Initialize certificate request

sudo certbot certonly \
--manual \
--manual-auth-hook /etc/letsencrypt/acme-dns-auth.py \
--preferred-challenges dns \
--debug-challenges \
-d \*.ornekalan.com \
-d ornekalan.com

This command requests wildcard certificate with DNS verification.

Parameter summary:

1.--manual: automatic setup is off

--manual-auth-hook: authentication script is used
--preferred-challenges dns: DNS verification is selected
--debug-challenges: Waits to add DNS record
-d: indicates field names

After the command, Certbot will show a CNAME record.

3.2 Add CNAME record to DNS

Sample output is as follows:


_acme-challenge.ornekalan.com CNAME xxxxx.auth.acme-dns.io.

Add this record to your DNS panel.

Recommended recording settings:

Type: CNAME
Host: _acme-challenge.ornekalan.com
Value: xxxxx.auth.acme-dns.io
TTL: 300 seconds recommended

After adding the record, return to the Certbot screen. Start verification by pressing ENTER.

3.3 Check certificate files

If successful the files will be here:

/etc/letsencrypt/live/ornekalan.com/fullchain.pem
/etc/letsencrypt/live/ornekalan.com/privkey.pem

Automatic Refresh and Testing

4.1 Run refresh

sudo certbot renew

This command renews the certificate when the deadline approaches.

4.2 Test with dry-run

sudo certbot renew --dry-run

This command simulates refreshing.
A successful dry-run indicates that auto-refresh is working.

Frequently Asked Questions (FAQ)

1. Why should I use DNS validation? If HTTP access is not available or wildcard is required.

2. Do I add a CNAME every time? Most of the time it is not necessary for the same domain.

3. Does this guide install the certificate? No. certonly just takes.

4. How do I add it to Nginx or Apache? You write the fullchain.pem and privkey.pem paths to the configuration.

5. Can I use it on an internal network server? Yes. Just manage the DNS record.

Result

DNS verification is one of the most secure solutions in complex infrastructures. It is the standard approach in wildcard and load balancer scenarios.

You can try this structure immediately on the GenixNode platform to simplify certificate management.

What Will You Learn in This Guide?​

Technical Summary​

What is DNS Verification?​

What is acme-dns-certbot?​

Prerequisites​

Certbot Installation​

1.1 Add Certbot repository​

1.2 Install Certbot​

1.3 Verify installation​

acme-dns-certbot Installation​

Download 2.1 Script​

2.2 Grant execution permission​

2.3 Make Python 3 mandatory​

2.4 Move Script to Let's Encrypt directory​

Getting the Initial Certificate and Adding the DNS Record​

3.1 Initialize certificate request​

3.2 Add CNAME record to DNS​

3.3 Check certificate files​

Automatic Refresh and Testing​

4.1 Run refresh​

4.2 Test with dry-run​

Frequently Asked Questions (FAQ)​

Result​