blocks:server:nginx:digital_ocean_dns01

Digital Ocean DNS-01 challange

Digital Ocean DNS-01 challange

Brief notes on how to setup a lets encrypt cert bot using digital oscean as dns provider.

Configure DNS at domain registrar

At the domain name registrar, configure the domain to use Digital Ocean's nameservers.
- Example: at GoDaddy this setting is called use custom name servers.

Create an API Token

Login to https://cloud.digitalocean.com/
- Register an account unless you already have one.
- Keep any credentials in a safe place.
Click on API in the navigation menu.
Select Token → Generate new token.
- Give the token a descriptive name, so you can identify and revoke it if necessary.
- Select the desired expiration.
  - Suggestion: use No expiration to avoid maintenance overhead.
- Select Custom scopes to narrow down what the token can do with the API.
- Select the Domain resource type, so the token can only modify domain records.
Click Generate Token.
Copy the token string and keep it in a very safe place.
- You will not be able to view it again.
- If this token becomes public, someone could modify your DNS records.

Setup the certbot

Install certbot

Make sure your server has internet access (required for DNS-01 challenge).
Ensure the snap version of certbot is installed and configured:

    sudo snap install --classic certbot
    sudo snap set certbot trust-plugin-with-root=ok

Install Digital Ocean Plugin

Install the Digital Ocean plugin:

    sudo snap install certbot-dns-digitalocean

Create credentials file

Create the file:

    sudo nano /etc/letsencrypt/digitalocean.ini

Paste this line (replace with your security token):

    dns_digitalocean_token = PASTE_TOKEN_HERE

In nano: use Ctrl+O to write, then Ctrl+X to exit.

Secure credentials file

Change ownership of the file:

    sudo chown root:root /etc/letsencrypt/digitalocean.ini

Restrict permissions:

    sudo chmod 600 /etc/letsencrypt/digitalocean.ini

Activate certbot

Request certificate

Replace example.com and int.example.com (add/remove domains as needed).
- Wildcards are supported, e.g. `*.example.com`.
- Use the domain owner's email.

    sudo certbot certonly --dns-digitalocean \
      --dns-digitalocean-credentials /etc/letsencrypt/digitalocean.ini \
      -d example.com -d int.example.com \
      --agree-tos --email you@example.com --non-interactive

Test renewal

Test renewal with a dry run:

    sudo certbot renew --dry-run

Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.

Reload nginx

If successful, check nginx config and reload:

    sudo nginx -t && sudo systemctl reload nginx

Table of Contents

Digital Ocean DNS-01 challange

Configure DNS at domain registrar

Create an API Token

Setup the certbot

Install certbot

Install Digital Ocean Plugin

Create credentials file

Secure credentials file

Activate certbot

Request certificate

Test renewal

Reload nginx