Certbot: Issue and install public trust certificate for NGINX using DNS-01 domain validation
Command syntax
At the command-line prompt, use the below command syntax to issue and install a public DV, OV, or EV certificate for the Apache web server, using the DNS-01 method for domain control validation:
sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dns
Fill in values for the command arguments shown in curly braces, as described below:
Command argument | Description |
---|---|
| The EAB key identifier (KID). For DigiCert® Trust Lifecycle Manager. accounts, use certificate profile. |
| The EAB HMAC key. |
| For hosted DigiCert® ONE accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory |
| Local path to Certbot configuration files for the current application. These files control how and where Certbot installs certificates. If |
| The fully qualified domain name (FQDN) to secure the certificate. Use -d for each domain; the first entry becomes the common name (CN). |
Example command:
sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_public_webserver_config/ -d example.com -d www.example.com --manual --preferred-challenges dns
Usage notes
For a third-party ACME client like Certbot, the requested certificate profile in DigiCert® Trust Lifecycle Manager must be based on the CertCentral Public Server Certificate or Let's Encrypt Public Server Certificate template.
The
--preferred-challenges
option specifies the preferred form of domain validation. Enterdns
here to request DNS-01 validation.The
--manual
option means you will manually add a DNS record to your domain to complete the validation challenge.This command runs interactively. Certbot supplies the required DNS validation parameters, which must be added as a TXT DNS record. For example:
After the TXT DNS record is in place, the command completes, and the certificate is validated, issued, and installed.
Default order: If the requested certificate matches an existing order, DigiCert® Trust Lifecycle Manager applies the default automation action. See ACME automation actions .