Moving ACME challenges for Let's Encrypt to DNS-01 method?
- Thread starter Protected
- Start date
DrWizzle
Verified User
- Joined
- Aug 8, 2021
- Messages
- 169
If I remember correctly, the DNS-01 challenge relies on you having the domain's nameservers (and possibly glue) pointing to the server you're trying to issue a certificate for. You must also have DNS setup on the same server. This will aid you in getting a wildcard certificate for the domain in question.
Also, very important is you have an A record created for the servername/hostname. For example if your server is called "fred" you would need an A record created for "fred.yourdomain.com". This can also cause ACME to refuse to issue a cert if it's absent.
If you have the DNS setup on another server/registrar and only point nameservers or A record to the server you're trying to add SSL to, I believe you're only able to add specific records like www.domain.con, domain.com, mail.domain.com etc...
Once setup, it should auto renew every 3 months.
Richard G
Verified User
Correct. Unless you can use LEGO with your registrar.
DrWizzle
Verified User
- Joined
- Aug 8, 2021
- Messages
- 169
Yes, but that requires you to manually create the certificate in Certbot CLI iirc, by manually creating a TXT record that it gives you in the process. Not sure if that's auto renewable or not, I can't remember as I've only used it once or twice a few years back for a project. LE on DA is auto (for simplicity for users i'm guessing)
Richard G
Verified User
Maybe long time ago you did this? Or did I miss something? As far as I know you only need an access token from the registrar.
DrWizzle
Verified User
- Joined
- Aug 8, 2021
- Messages
- 169
Yes, I have to admit is was many moons ago
! Auto SSL from all these new control panels have been a God send since they were created!