PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
blocks:server:nginx:dns01_challenge [2025-09-17 06:28] – created mattiasblocks:server:nginx:dns01_challenge [2025-09-17 06:50] (current) – [DNS-01 Challenge for renewal of HTTPS certificates] mattias
Line 4: Line 4:
 There are three main ways to prove for the certificate provider that you are the legal owner in control of a domain name. HTTP-01 challenge, DNS-01 challenge, TLS-ALPN-01.  There are three main ways to prove for the certificate provider that you are the legal owner in control of a domain name. HTTP-01 challenge, DNS-01 challenge, TLS-ALPN-01. 
 We will not bother about the TLS-ALPN-01, it has rather specific purposes, HTTP-01 will work if the server is published to the internet, e.g. a cloud server.  We will not bother about the TLS-ALPN-01, it has rather specific purposes, HTTP-01 will work if the server is published to the internet, e.g. a cloud server. 
-To allow for automatic renewal on server that is not exposed to the internet the DNS-01 challenge is useful.  All it need is a dns provider with an api and a cert-bot plug in for Let's Encrypt that can automatically renew the certificates when required.+To allow for automatic renewal on server that is not exposed but can access the internet DNS-01 challenge is useful.  All it need is a dns provider with an api and a cert-bot plug in for Let's Encrypt that can automatically renew the certificates when required.  
 +==== Available plugins ==== 
 +The officical certbot plugins maintained by Certbot can be found [[https://github.com/certbot/certbot|here]]
  
 +3rd party plugins can be found [[https://pypi.org/search/?q=certbot-dns-|here]].
 ====Outline of the steps involved for DNS-Challange==== ====Outline of the steps involved for DNS-Challange====
  
Line 11: Line 14:
   -   Configure the domain at the registrar to use your DNS provider's name servers.   -   Configure the domain at the registrar to use your DNS provider's name servers.
   -   Create an account at a dns provider unless you already have one.    -   Create an account at a dns provider unless you already have one. 
-  -   Create an api token with the dns provider that the certbot can use to make its api calls. :!: Make its permissions as restricted as possible, we only need control over dns!+  -   Create an api token with the dns provider that the certbot can use to make its api calls. :!: Make its permissions as restricted as possible, we only need control over dns! 
   - Create a file to store the api token or secret. Typically stored in an .ini file under /etc/letsencrypt/   - Create a file to store the api token or secret. Typically stored in an .ini file under /etc/letsencrypt/
   - make sure the necessary cert-bot plugin is installed. Follow the dns providers instructions.   - make sure the necessary cert-bot plugin is installed. Follow the dns providers instructions.
Line 18: Line 21:
  
 ====Step by step examples==== ====Step by step examples====
 +===Digial Ocean===
 [[blocks:server:nginx:digital_ocean_dns01_challenge|Digital Ocean as dns provider]] [[blocks:server:nginx:digital_ocean_dns01_challenge|Digital Ocean as dns provider]]
 +
 +===Cloudflare===
 +[[blocks:server:nginx:cloudflare_dns01_challenge|Cloud flare as dns provider]]