Skip to main content

Certbot: Issue and install certificate for NGINX using DNS-01 domain validation

Command syntax

At the command-line prompt, use the below command syntax to issue and install a public DV, OV, or EV certificate for the Apache web server, using the DNS-01 method for domain control validation:

sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dns

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The external account binding key identifier (KID) from your ACME credentials in CertCentral.

{MY-HMAC-KEY}

The external account binding HMAC key from your ACME credentials.

{ACME-URL}

The ACME URL associated with your ACME credentials in CertCentral.

{MY-CONFIG-DIR}

The local directory path that stores your Certbot configuration files for the current application. The configuration files here control how and where Certbot installs the certificates it downloads. If you omit the --config-dir option, Certbot will check in the /etc/letsencrypt directory by default.

{FQDN}

The fully qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option. The first one you specify is used as the common name (CN).

Example command:

sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_public_webserver_config/ -d example.com -d www.example.com --manual --preferred-challenges dns

Usage notes

  • For OV/EV certificates, if the domain is prevalidated in CertCentral, then CertCentral validates the domain itself, out-of-band and independent of the ACME protocol.

  • For DV certificates, and for OV/EV certificates that are not prevalidated, the --preferred-challenges option specifies the preferred form of ACME-based domain validation. Enter dns here to request DNS-01 validation.

  • The --manual option means you will manually add a DNS record to your domain to complete the validation challenge.

  • This command runs interactively. Certbot supplies the required DNS validation parameters, which must be added as a TXT DNS record. For example:

    _acme-challenge.example.com. 300 IN TXT "mJ9ffxp9pX...f0EDcZZ_klG5wWD1"

  • After the TXT DNS record is in place, the command completes, and the certificate is validated, issued, and installed.

  • If the requested certificate matches an existing order, CertCentral applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, CertCentral treats it as a new order and enrolls the new certificate for you.

In this section: