← All posts October 22, 2024 · 3 min read

Manually generating free SSL certificates with Let’s Encrypt (certbot)

sslletsencryptsecuritycertificatescertbot

This article explains how to create SSL certificates using Let’s Encrypt’s manual plugin. You may need to generate these free SSL certificates in situations like the ones below, particularly when the automated method is not an option.

No direct access to the Web Server.
Unsupported/custom web server setups.
Creating wildcard certificates which require DNS challenge

You can use the following command to generate free SSL certificates with Let’s Encrypt via certbot using the manual plugin. Certbot uses Let’s Encrypt to generate certificates by default.

1. Installing Certbot

Certbot is the official Let’s Encrypt client:

1
sudo apt-get install software-properties-common
2
sudo add-apt-repository ppa:certbot/certbot
3
sudo apt-get update
4
sudo apt-get install certbot

Further installation instructions can be found in their official guide.

2. Generating a Certificate

This command will prompt you to provide an email address for notifications. It will then generate a TXT record that needs to be added to your DNS provider for certbot to verify domain ownership.

1
certbot certonly --manual --preferred-challenges=dns --key-size 4096 -d mydomain.com -d www.mydomain.com
2

3
# COMMAND BREAKDOWN
4
# --manual: Indicates you want to handle the DNS challenge manually.
5
# --preferred-challenges=dns: Tells Certbot to use the DNS challenge method.
6
# --key-size 4096: Specifies that you want to use a 4096-bit RSA key for better security.
7
# -d mydomain.com -d www.mydomain.com: This includes both the root domain mydomain.com and subdomain www.mydomain.com to ensure that both are covered by the certificate.
8
# you can give a wildcard domain to this if needed.

3. Verifying the domain ownership

Certbot will output specific DNS records (TXT records) that you need to add to your DNS provider to complete the DNS verification process. Following is a sample output,

1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2
Please deploy a DNS TXT record under the name:
3

4
_acme-challenge.mydomain.com.
5

6
with the following value:
7

8
5lBTUVMngGj346hseQgIqAE29JusY76g2moq2gnETVBuw
9

10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Once you’ve added the required DNS records, Certbot will verify domain ownership and issue the certificate. It may take a few minutes for the DNS to update the TXT records. If everything is successful, certbot will display the locations where the certificates are saved locally.

1
Successfully received certificate.
2
Certificate is saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem
3
Key is saved at:         /etc/letsencrypt/live/mydomain.com/privkey.pem
4
This certificate expires on 2024-12-19.
5
These files will be updated when the certificate renews.

Please note that these certificates are valid for only 90 days, and since they were created using the manual plugin, auto-renewal is not enabled. You will need to renew them manually.

Cheers !!