Skip to content

Instantly share code, notes, and snippets.

@ilmir-k

ilmir-k/Letsencrypt Wildcard DNS manual.rst

Forked from yelizariev/Letsencrypt Wildcard DNS manual.rst
Last active January 2, 2022 19:11
Show Gist options
  • Save ilmir-k/ad77c1e5b88f64c5479eeb84a444afc2 to your computer and use it in GitHub Desktop.
Save ilmir-k/ad77c1e5b88f64c5479eeb84a444afc2 to your computer and use it in GitHub Desktop.
Download ZIP
Issue certificate with DNS manual mode
Raw
Letsencrypt Wildcard DNS manual.rst

Certificate issue in DNS manual mode

Done according to https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode

Warning: DNS manual mode can not renew automatically. For renewal you need to repeat steps below each time. Certificate needs to be renewed within 90 days.

  • Install client

    git clone https://github.com/Neilpang/acme.sh.git

cd ./acme.sh

./acme.sh --install

  • Get values for TXT records for DNS records:

    ./acme.sh --issue --dns -d it-projects.info -d '*.it-projects.info' -d '*.apps.it-projects.info' -d '*.runbot.it-projects.info' -d '*.new.it-projects.info' -d '*.test.it-projects.info' -d '*.saas.it-projects.info' --yes-I-know-dns-manual-mode-enough-go-ahead-please

  • Add the TXT records to your DNS records.

  • Check TXT records via dig:

    dig _acme-challenge.it-projects.info -t txt

  • Get your certificate with --renew command:

    ./acme.sh --debug --renew -d it-projects.info -d '*.it-projects.info' -d '*.apps.it-projects.info' -d '*.runbot.it-projects.info' -d '*.new.it-projects.info' --yes-I-know-dns-manual-mode-enough-go-ahead-please

  • Copy the certs within Nginx:

    cp fullchain.cer /etc/nginx/certs/letsencrypt.it-projects.info.cer
cp it-projects.info.key /etc/nginx/certs/letsencrypt.it-projects.info.key

  • Note:

If you see error like this:

[Чт янв  9 20:58:31 MSK 2020] code='500'
[Чт янв  9 20:58:31 MSK 2020] Sign failed, finalize code is not 200.
[Чт янв  9 20:58:31 MSK 2020] {
"type": "urn:ietf:params:acme:error:serverInternal",
"detail": "Error finalizing order",
"status": 500
}
[Чт янв  9 20:58:31 MSK 2020] _on_issue_err
[Чт янв  9 20:58:31 MSK 2020] Please add '--debug' or '--log' to check more details.
[Чт янв  9 20:58:31 MSK 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Чт янв  9 20:58:31 MSK 2020] The dns manual mode can not renew automatically, you must issue it again manually. You'd   better use the other modes instead.

Try to execute the last command again (maybe 2 times).

As a result you should see:

[Чт янв  9 21:02:17 MSK 2020] Your cert is in  /root/.acme.sh/it-projects.info/it-projects.info.cer
[Чт янв  9 21:02:17 MSK 2020] Your cert key is in  /root/.acme.sh/it-projects.info/it-projects.info.key
[Чт янв  9 21:02:17 MSK 2020] v2 chain.
[Чт янв  9 21:02:17 MSK 2020] The intermediate CA cert is in  /root/.acme.sh/it-projects.info/ca.cer
[Чт янв  9 21:02:17 MSK 2020] And the full chain certs is there:  /root/.acme.sh/it-projects.info/fullchain.cer
[Чт янв  9 21:02:17 MSK 2020] _on_issue_success
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment