Certbot: Issue and install public trust certificate for NGINX using DNS-01 domain validation
Before you begin
To install the certificate, ensure you have the following ACME details:
ACME directory URL:
For hosted Trust Lifecycle Manager accounts, use the region-specific URL (See Inbound IP addresses and URLs by environment and region).
Base URL:https://one.digicert.com/mpki/api/v1/acme/v2/directory>.
Region-specific URLs:
EU region: https://one.nl.digicert.comorhttps://one.ch.digicert.comJapan region: https://one.digicert.co.jpUS region: https://one.us.digicert.comThe external account binding (EAB) credentials from DigiCert:
The EAB key identifier (KID). For DigiCert® Trust Lifecycle Manager. accounts, use certificate profile.
Sample KID:zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g
The external account binding HMAC key of the certificate profile .
Sample HMAC: RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnR
Issue and install the certificate using DNS-01 method
Copy the following command to the command-line prompt:
sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dnsTo request DNS-01 validation, use
--preferred-challenges dnsoption.To manually add a DNS record to your domain, use the
--manualoption to complete the validation challenge.When run in manual mode, the command is interactive: Certbot provides the DNS validation parameters to decide how the validation gets carried out. For example:
To complete the process, run the command.
What's next
The certificate is validated, issued, and installed successfully.
The domains are validated, and the certificate is issued and installed on your NGINX server.
To renew, reissue, or duplicate the certificate, see Certbot: Renew, reissue, or duplicate certificate using ACME URL query parameters