The Call

So, I got a reminder mail for Let’s encrypt. They do well when it comes to reminding you or any expiring Let’s Encrypt Certbot certificate, expept you have not submitted your email to the Let’s Encrypt register. It says I have 7 (seven) days to renew the domain name (let’s call it example.com). But, wait a minutes, I have a cronjob take care of all my Certbot certificates renewal? Ish!!! Something looks fishy or “chickenshy”. I picked up my DevOps hat, cracked my knuckle and typed away the renewal command in my now favorite Ubuntu server command line. And BOOM!!! I was decked an uppercut by this gentle looking but dreadful acme dns certbot error:
https://example.com/.well-known/acme-challenge/TzB5Yk7E-e290dxsCBrOdPAKx96rZm_5m89ST87pRrA

Let’s Probe Into The Matter

Okay, that error looks awkward yea? I won’t panic just yet. With that, I attempted to follow the suggestions at the bottom.

Although I found all my DNS records are correct. Also, I reached out to our Mobile and Frontend Devs, whom we worked on the project together, talk about collaboration as a skill of a DevOps engineer. Alas, both we as confused as I am.

With that, I put on some more armour. And did some little research, after all, there is no problems so new in this world that would defile research, even if just a hint to the solution.

And…

There I got my answers with Stack overflowing through a light blue digital ocean to my rescue.

The Automated_Certificate_Management_Environment (ACME) DNS Certbot helps configure third party DNS validation without a need for Certbot to connect directly to the DNS provider. Cool stuff. Now that we know what it does, we can forge ahead to configure and secure our domain name using the ACME DNS certbot as Let’s Encrypt required.

Join me as we walk through the solution together.

But first, we need to go back to the root. This will be for you that is yet to install the Certbot utility in your machine. Without leaving no stone unturned, let’s do that and then get to configure our DNS service with the acme dns certbot.

step 1: INSTALL LET’S ENCRYPT CERTBOT IN UBUNTU

It is important we do the begin the acme dns certbot configuration from the root. We begin by adding the Certbot repository:

$ sudo apt-add-repository ppa:certbot/certbot

You’ll need to press ENTER to accept the prompt and add the new repository to your system.

Next, install the Certbot package:

$sudo apt install certbot

Once the installation has completed, you can check that Certbot has been successfully installed:

certbot --version

This will output something similar to the following:
Output:
certbot 0.40.0

I dive deeper into Certbot in another post here, but for now, this will be enough to resolve our issue.

Step 2: Installing acme-dns-certbot

Next, you will download and install the acme-dns-certbot hook which will allow Certbot to operate in DNS validation mode. We start by downloading a copy of the script:

$wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Once the download has completed, mark the script as executable:

$chmod +x acme-dns-auth.py

Then, edit the file using your favorite text editor and adjust the first line in order to force it to use Python 3:

$sudo nano acme-dns-auth.py

Add a 3 to the end of the first line:

acme-dns-certbot.py

!/usr/bin/env python3

Python 3 is required for acme dns to function optimally.

Once complete, save and close the file. Crtl X, Y Enter
Now, you need to make the script load with Certbot by moving it into the Certbot Let’s encrypt directory.

Now, you have downloaded and installed the acme-dns-certbot hook. One more step is to setup acme dns certbot, afterwards, we can issue our DNS certificate with it.

step 3: Setting Up acme dns certbot

This step will help you to setup acme dns certbot to issue a let’s encrypt certificate. We will also update our domain management portals’ CNAME records. Here, I am managing my DNS record using Cloudflare service. However, yours could be different. Do not panic whatsover, any DNS management service you use follows the same process.

Now that we cleared that part, let us start the setup by asking Certbot to force issue a certificate using DNS validation. This validation will run the acme-dns-certbot script and trigger the initial setup process. Cool uhm!

$sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.your-domain -d your-domain

Now let’s break down each of the flags we passed:
--manual: It will disable all of the automated integration features of Certbot
--manual-auth-hook: Will ensure Certbot use the acme-dns-certbot hook
--preferred-challenged: Ensure Certbot will give preference to DNS validation
--debug-challenges: For Certbot to pause before attempting to validate the certificate
-d: will specify the domains we want to pass.

It is important that you pass in the correct domain name here. You should also ensure the domain name is routed to the IP address of the server.

Once you have that figured out, hit the enter for the command above.

The process will ask you a couple of questions to verify your intent.
Type in E to allow for the Expand option
Type in Y to confirm YES.

You will be presented with some information containing the CNAME address and value. You should add this information to your domain provider as seen below. For me, I am configuring the acme dns certbot to install on two domains simultaneously.

Go ahead and add these detail to your domain management system portal. Add them as the _acme-challenge… under CNAME and 7539c1… as the value respectively.

Once you have added the details, go back to your command line and hit the Enter key.

troubleshooting

As for me, I encountered and error at my first attempt. Whoops!!!
It took me couple of minutes to figure that out, even though it could cause a little type of panic at first. The solution is pretty straight forward though.

If you also go the same error, simply do what I did too and you will be fine.

SOLUTION:

Go back to your DNS management portal, check if your DNS have the proxy button tunred on, turn off the proxy option (in cloudflare, it is a toggle button). Secondly, set your TIME TO LIVE (TTL) to less that 300 seconds. I made mine 120 seconds (2 minutes).

Once you have done that in your domain dashboard, go back to your commandline and then try the acme-dns-certbot command again and you should be fine. Hurray!!!

step 4: INSTALL MORE CERTIFICATES

Let’s say you are now the new Antman in town, and you can perform wonders with the newly acquired skill to install acme dns certbot certificate. Let’s say you want to install a standalone wildcard certificate without having to perform the verification again.

Simply enter the command

$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.your-domain

Hey, wait a minute, what if you will like to put this in a subdomain? Well, it is still pretty easy, simply run

$sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.your-domain

However, the second command will ask you to enter the CNAME record of the subdomain. This is as a result of Certbot treating the subdomain as a new entity that will need a new address or certificate in this case.

in conclusion

And there you are, you have one more skill in your devops and cloud engineering arsenal. You can now install the Let’s encrypt certificate using the traditional Certbot, and the ACME DNS certbot.

Just a little icing on the cake, if you like icing like I don’t. You can also renew your certificates or run a dry run to renew expiring certificates.

$sudo certbot renew

You can alternatively use

$sudo certbot renew --dry-run

On successful renewal of your domain names, you should get a successfully renewed response like below.

And there you have it on installing Let’s Encrypt Certbot using acme dns cert.
See you next time.
Stay secure, stay resilient.