=====Digital Ocean DNS-01 challange=====

Brief notes on how to setup a lets encrypt cert bot using digital oscean as dns provider.

==== Configure DNS at domain registrar ====
  * At the domain name registrar, configure the domain to use Digital Ocean's nameservers.  
    * Example: at GoDaddy this setting is called **use custom name servers**.

==== Create an API Token ====
  * Login to https://cloud.digitalocean.com/  
    * Register an account unless you already have one.  
    * Keep any credentials in a safe place.
  * Click on **API** in the navigation menu.
  * Select **Token → Generate new token**.
    * Give the token a descriptive name, so you can identify and revoke it if necessary.
    * Select the desired expiration.  
      * Suggestion: use **No expiration** to avoid maintenance overhead.
    * Select **Custom scopes** to narrow down what the token can do with the API.
    * Select the **Domain** resource type, so the token can only modify domain records.
  * Click **Generate Token**.
  * Copy the token string and keep it in a very safe place.  
    * You will not be able to view it again.  
    * If this token becomes public, someone could modify your DNS records.


==== Setup the certbot ====

=== Install certbot ===
  * Make sure your server has internet access (required for DNS-01 challenge).
  * Ensure the snap version of certbot is installed and configured:

<code>
    sudo snap install --classic certbot
    sudo snap set certbot trust-plugin-with-root=ok
</code>

=== Install Digital Ocean Plugin ===
  * Install the Digital Ocean plugin:

<code>
    sudo snap install certbot-dns-digitalocean
</code>




====Create credentials file ===
  * Create the file:

<code>
    sudo nano /etc/letsencrypt/digitalocean.ini
</code>

  * Paste this line (replace with your security token):

<code>
    dns_digitalocean_token = PASTE_TOKEN_HERE
</code>

  * In nano: use **Ctrl+O** to write, then **Ctrl+X** to exit.

=== Secure credentials file ===
  * Change ownership of the file:

<code>
    sudo chown root:root /etc/letsencrypt/digitalocean.ini
</code>

  * Restrict permissions:

<code>
    sudo chmod 600 /etc/letsencrypt/digitalocean.ini
</code>


==== Activate certbot ====

=== Request certificate ===
  * Replace //example.com// and //int.example.com// (add/remove domains as needed).  
    * Wildcards are supported, e.g. `*.example.com`.  
    * Use the domain owner's email.

<code>
    sudo certbot certonly --dns-digitalocean \
      --dns-digitalocean-credentials /etc/letsencrypt/digitalocean.ini \
      -d example.com -d int.example.com \
      --agree-tos --email you@example.com --non-interactive
</code>

=== Test renewal ===
  * Test renewal with a dry run:

<code>
    sudo certbot renew --dry-run
</code>
Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.
=== Reload nginx ===
  * If successful, check nginx config and reload:

<code>
    sudo nginx -t && sudo systemctl reload nginx
</code>