Skip to main content

Issue and install a certificate for NGINX using DNS-01

Use the DNS-01 challenge to validate domains and install a certificate on your NGINX web server. This method applies to DV certificates, OV/EV certificates with domains that are not prevalidated in CertCentral, and all wildcard domain certificates.

For OV/EV certificates with prevalidated domains, CertCentral performs domain control validation out-of-band. No challenge options are required. See Configure Certbot for CertCentral.

Notice

  • DNS-01 is the only supported challenge type for wildcard domains. The HTTP-01 challenge does not support wildcard domain validation.

  • These instructions apply to ACME credentials created on or after January 30, 2024. For credentials created before this date, see Use legacy CertCentral ACME credentials.

Install a certificate using DNS-01 for NGINX

  1. Open a terminal session on your NGINX web server.

  2. Copy the following command and enter it at the terminal prompt:

    sudo certbot --nginx \
     --register-unsafely-without-email \
     --eab-kid {MY-KEY-IDENTIFIER} \
     --eab-hmac-key {MY-HMAC-KEY} \
     --server {MY-ACME-URL} \
     --config-dir {MY-CONFIG-DIR} \
     -d {FQDN} \
     --manual --preferred-challenges dns

    Replace the placeholders with the following values:

    Placeholder

    Replace with

    {MY-KEY-IDENTIFIER}

    The EAB key identifier (KID) from your CertCentral ACME credentials

    {MY-HMAC-KEY}

    The EAB HMAC key from your CertCentral ACME credentials

    {MY-ACME-URL}

    The ACME directory URL from your CertCentral ACME credentials

    {MY-CONFIG-DIR}

    The path to your Certbot configuration files. If omitted, Certbot defaults to /etc/letsencrypt

    {FQDN}

    The fully qualified domain name to secure. Add an additional -d option for each FQDN. The first FQDN specified is used as the common name (CN)

  3. Add the TXT record that Certbot supplies to your DNS configuration for the domain. Certbot provides the record in the following format:

    _acme-challenge.example.com. 300 IN TXT "mJ9ffxp9pX...f0EDcZZ_klG5wWD1"

  4. Return to the terminal and press Enter to complete the validation.

CertCentral validates the domains and issues the certificate. Certbot installs the certificate on your NGINX server.

Notice

The command above runs in manual mode, which requires you to add the DNS TXT record yourself. To automate the DNS-01 challenge:

  • Check whether your DNS provider offers an API for creating TXT records automatically.

  • Check whether your DNS provider supports Certbot plugins. Certbot has plugins for many widely used providers, such as DNS Made Easy.

  • Create a custom script to update DNS records programmatically.

What's next

Use legacy CertCentral ACME credentials to Manage certificates using ACME credentials created before January 30, 2024

In diesem Abschnitt: