HOW-TO Generate an SSL Certificate with

There is a wealth of documentation about how to generated a Certificate using
letsencrypt, the EFF free tool.

However, if you are using g-suite to manage your main website or want an SSL certificate to do some testing during development, and may not have shell access to the WWW server (and, further, you are unable to deploy the challenge file in the given location) things get a bit tricky.

See the EFF Certbot documentation if you do have shell or file access to your WWW server.

In the following I will outline the steps I followed to use the --manaual mode, with DNS verification.

Manual install of Certbot on Ubuntu

The version of letsencrypt that is packaged for Ubuntu 16.04 does not support DNS challenge using the manual plugin, so you will need to download and install certbot manually (which, I guess, is only appropriate):

cd ~/certbot
chmod a+x certbot-auto

Setup a TXT DNS record

See this page for a clear explanation of the major types of DNS records.

The DNS records for can be configured on the
DNS Panel

YMMV here, but ultimately it requires being able to get on your domain registrar DNS management panel and set up a TXT record.

Run certbot in --manual mode

This is the command to run (replace with your domain name), you can chain several domains using the -d options several times:

$ ./certbot-auto certonly --manual --preferred-challenges dns -d

this will ask for the appropriate TXT record for each of the domains you specify:

Requesting root privileges to run certbot...
  /home/marco/.local/share/letsencrypt/bin/letsencrypt certonly --manual --preferred-challenges dns -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: y

Please deploy a DNS TXT record under the name with the following value:

  <<< random value >>>

Once this is deployed,
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert will
   expire on 2017-05-21. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Where is my certificate?

As the blurb above indicates, the certificate(s) are in the live/ folder under /etc/letsencrypt:

$ sudo find /etc/letsencrypt/

will yield, among (many) other things:




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: