PIXILAB Wiki

Digital Ocean DNS-01 challange

Brief notes on how to setup a lets encrypt cert bot using digital oscean as dns provider.

Configure DNS at domain registrar

  • At the domain name registrar, configure the domain to use Digital Ocean's nameservers.
    • Example: at GoDaddy this setting is called use custom name servers.

Create an API Token

  • Login to https://cloud.digitalocean.com/
    • Register an account unless you already have one.
    • Keep any credentials in a safe place.
  • Click on API in the navigation menu.
  • Select Token → Generate new token.
    • Give the token a descriptive name, so you can identify and revoke it if necessary.
    • Select the desired expiration.
      • Suggestion: use No expiration to avoid maintenance overhead.
    • Select Custom scopes to narrow down what the token can do with the API.
    • Select the Domain resource type, so the token can only modify domain records.
  • Click Generate Token.
  • Copy the token string and keep it in a very safe place.
    • You will not be able to view it again.
    • If this token becomes public, someone could modify your DNS records.

Setup the certbot

Install certbot

  • Make sure your server has internet access (required for DNS-01 challenge).
  • Ensure the snap version of certbot is installed and configured:
    sudo snap install --classic certbot
    sudo snap set certbot trust-plugin-with-root=ok

Install Digital Ocean Plugin

  • Install the Digital Ocean plugin:
    sudo snap install certbot-dns-digitalocean

Create credentials file

  • Create the file:
    sudo nano /etc/letsencrypt/digitalocean.ini
  • Paste this line (replace with your security token):
    dns_digitalocean_token = PASTE_TOKEN_HERE
  • In nano: use Ctrl+O to write, then Ctrl+X to exit.

Secure credentials file

  • Change ownership of the file:
    sudo chown root:root /etc/letsencrypt/digitalocean.ini
  • Restrict permissions:
    sudo chmod 600 /etc/letsencrypt/digitalocean.ini

Activate certbot

Request certificate

  • Replace example.com and int.example.com (add/remove domains as needed).
    • Wildcards are supported, e.g. `*.example.com`.
    • Use the domain owner's email.
    sudo certbot certonly --dns-digitalocean \
      --dns-digitalocean-credentials /etc/letsencrypt/digitalocean.ini \
      -d example.com -d int.example.com \
      --agree-tos --email you@example.com --non-interactive

Test renewal

  • Test renewal with a dry run:
    sudo certbot renew --dry-run

Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.

Reload nginx

  • If successful, check nginx config and reload:
    sudo nginx -t && sudo systemctl reload nginx