Differences

This shows you the differences between two versions of the page.

--- blocks:server:nginx:digital_ocean_dns01_challenge [2025-09-17 06:09] – removed - external edit (Unknown date) 127.0.0.1
+++ blocks:server:nginx:digital_ocean_dns01_challenge [2025-09-17 06:09] (current) – ↷ Page name changed from blocks:server:nginx:dns01_challange to blocks:server:nginx:digital_ocean_dns01_challenge mattias
@@ Line 1: / Line 1: @@
+=====Digital Ocean DNS-01 challange=====
+Brief notes on how to setup a lets encrypt cert bot using digital oscean as dns provider.
+==== Configure DNS at domain registrar ====
+  * At the domain name registrar, configure the domain to use Digital Ocean's nameservers.
+    * Example: at GoDaddy this setting is called **use custom name servers**.
+==== Create an API Token ====
+  * Login to https://cloud.digitalocean.com/
+    * Register an account unless you already have one.
+    * Keep any credentials in a safe place.
+  * Click on **API** in the navigation menu.
+  * Select **Token → Generate new token**.
+    * Give the token a descriptive name, so you can identify and revoke it if necessary.
+    * Select the desired expiration.
+      * Suggestion: use **No expiration** to avoid maintenance overhead.
+    * Select **Custom scopes** to narrow down what the token can do with the API.
+    * Select the **Domain** resource type, so the token can only modify domain records.
+  * Click **Generate Token**.
+  * Copy the token string and keep it in a very safe place.
+    * You will not be able to view it again.
+    * If this token becomes public, someone could modify your DNS records.
+==== Setup the certbot ====
+=== Install certbot ===
+  * Make sure your server has internet access (required for DNS-01 challenge).
+  * Ensure the snap version of certbot is installed and configured:
+<code>
+    sudo snap install --classic certbot
+    sudo snap set certbot trust-plugin-with-root=ok
+</code>
+=== Install Digital Ocean Plugin ===
+  * Install the Digital Ocean plugin:
+<code>
+    sudo snap install certbot-dns-digitalocean
+</code>
+====Create credentials file ===
+  * Create the file:
+<code>
+    sudo nano /etc/letsencrypt/digitalocean.ini
+</code>
+  * Paste this line (replace with your security token):
+<code>
+    dns_digitalocean_token = PASTE_TOKEN_HERE
+</code>
+  * In nano: use **Ctrl+O** to write, then **Ctrl+X** to exit.
+=== Secure credentials file ===
+  * Change ownership of the file:
+<code>
+    sudo chown root:root /etc/letsencrypt/digitalocean.ini
+</code>
+  * Restrict permissions:
+<code>
+    sudo chmod 600 /etc/letsencrypt/digitalocean.ini
+</code>
+==== Activate certbot ====
+=== Request certificate ===
+  * Replace //example.com// and //int.example.com// (add/remove domains as needed).
+    * Wildcards are supported, e.g. `*.example.com`.
+    * Use the domain owner's email.
+<code>
+    sudo certbot certonly --dns-digitalocean \
+      --dns-digitalocean-credentials /etc/letsencrypt/digitalocean.ini \
+      -d example.com -d int.example.com \
+      --agree-tos --email you@example.com --non-interactive
+</code>
+=== Test renewal ===
+  * Test renewal with a dry run:
+<code>
+    sudo certbot renew --dry-run
+</code>
+Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.
+=== Reload nginx ===
+  * If successful, check nginx config and reload:
+<code>
+    sudo nginx -t && sudo systemctl reload nginx
+</code>