Certbot: Issue and install public trust certificate for NGINX using DNS-01 domain validation
Command syntax
At the command-line prompt, use the below command syntax to issue and install a public DV, OV, or EV certificate for the Apache web server, using the DNS-01 method for domain control validation:
sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dns
Fill in values for the command arguments shown in curly braces, as described below:
Command argument | Description |
---|---|
| The external account binding key identifier (KID) of the desired certificate profile in DigiCert® Trust Lifecycle Manager. |
| The external account binding HMAC key of the certificate profile. |
| The ACME Directory URL. For hosted DigiCert® ONE accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory |
| The local directory path that stores your Certbot configuration files for the current application. The configuration files here control how and where Certbot installs the certificates it downloads. If you omit the |
| The fully qualified domain name you want the certificate to secure. For each FQDN, add an additional |
Example command:
sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_public_webserver_config/ -d example.com -d www.example.com --manual --preferred-challenges dns
Usage notes
To issue a public trust certificate using a third-party ACME client like Certbot, the requested certificate profile in DigiCert® Trust Lifecycle Manager must be based on the CertCentral Public Server Certificate or Let's Encrypt Public Server Certificate template.
The
--preferred-challenges
option specifies the preferred form of domain validation. Enterdns
here to request DNS-01 validation.The
--manual
option means you will manually add a DNS record to your domain to complete the validation challenge.This command runs interactively. Certbot supplies the required DNS validation parameters, which must be added as a TXT DNS record. For example:
After the TXT DNS record is in place, the command completes, and the certificate is validated, issued, and installed.
If the requested certificate matches an existing order, DigiCert® Trust Lifecycle Manager applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes
?action=enroll
, Trust Lifecycle Manager treats it as a new order and enrolls the new certificate for you.