Certbot: Issue and install certificate for NGINX using DNS-01 domain validation
Before you begin
To install the certificate, ensure you have the following ACME details:
ACME directory URL:
For CertCentral accounts, use the region-specific URL (See Inbound IP addresses and URLs by environment and region).
Base URL:https://one.digicert.com/mpki/api/v1/acme/v2/directory>.
Region-specific URLs:
EU region: https://one.nl.digicert.comorhttps://one.ch.digicert.comJapan region: https://one.digicert.co.jpUS region: https://one.us.digicert.comThe external account binding (EAB) credentials from DigiCert:
The EAB key identifier (KID). For CertCentral. accounts, use ACME credentialsi.
Sample KID:zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g
The external account binding HMAC key from your ACME credentials.
Sample HMAC: RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnR
Issue and install the certificate using DNS-01 method
Copy the following command to the command-line prompt:
sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dnsTo request DNS-01 validation, use
--preferred-challenges dnsoption.This applies to DV certificates and OV/EV certificates that are not prevalidated.
To manually add a DNS record to your domain, use the
--manualoption to complete the validation challenge.When run in manual mode, the command is interactive: Certbot provides the DNS validation parameters to decide how the validation gets carried out. For example:
To complete the process, run the command.
What's next
The certificate is validated, issued, and installed successfully.
The domains are validated, and the certificate is issued and installed on your NGINX server.
To renew, reissue, or duplicate the certificate, see Certbot: Renew, reissue, or duplicate certificate using ACME URL query parameters