Skip to main content

Certbot: Issue and install certificate for NGINX using DNS-01 domain validation

Command syntax

At the command-line prompt, use the below command syntax to issue and install a public DV, OV, or EV certificate for the Apache web server, using the DNS-01 method for domain control validation:

sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dns

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The EAB key identifier (KID). For CertCentral. accounts, use ACME credentialsi.

{MY-HMAC-KEY}

Use the EAB HMAC key.

{ACME-URL}

For CertCentral accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory

{MY-CONFIG-DIR}

Use the local path to Certbot configuration files for the current application.

{FQDN}

Use the fully qualified domain name (FQDN) to secure the certificate.

Example command:

sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_public_webserver_config/ -d example.com -d www.example.com --manual --preferred-challenges dns

Usage notes

  • For OV/EV certificates, if the domain is prevalidated in CertCentral, then CertCentral validates the domain itself, out-of-band and independent of the ACME protocol.

  • For DV certificates, and for OV/EV certificates that are not prevalidated, the --preferred-challenges option specifies the preferred form of ACME-based domain validation. Enter dns here to request DNS-01 validation.

  • The --manual option means you will manually add a DNS record to your domain to complete the validation challenge.

  • This command runs interactively. Certbot supplies the required DNS validation parameters, which must be added as a TXT DNS record. For example:

    _acme-challenge.example.com. 300 IN TXT "mJ9ffxp9pX...f0EDcZZ_klG5wWD1"
  • After the TXT DNS record is in place, the command completes, and the certificate is validated, issued, and installed.

  • Default order: If the requested certificate matches an existing order, CertCentral applies the default automation action. See ACME automation actions.