Sidebar

Using with Let's Encrypt

The UK DNS Privacy Project service integrates seamlessly with Let’s Encrypt through our official Certbot plugin, certbot-dns-dnsprivacy. This plugin automates the process of creating and validating DNS TXT records for domain validation, making it easy to obtain and renew TLS certificates.

Why Use DNS-01 Challenge?

The DNS-01 challenge offers several advantages over HTTP-01:

  • Support for wildcard certificates: Create certificates for *.yourdomain.com
  • No public ports required: Perfect for servers behind firewalls
  • Ideal for internal servers: Validate domains without public internet access
  • Consistent renewal: Automate certificate renewal without service disruption

Prerequisites

Before you begin, make sure you have:

  1. A domain managed by UK DNS Privacy Project authoritative DNS
  2. An API token from your UK DNS Privacy Project dashboard
  3. Python and Certbot installed on your system

Installing the Plugin

Install the certbot-dns-dnsprivacy plugin using pip:

pip install certbot-dns-dnsprivacy

Creating API Credentials

  1. Log in to your UK DNS Privacy Project dashboard
  2. Navigate to Account > API Tokens
  3. Create a new token with the “DNS Management” permission
  4. Copy your token to a secure location

Next, create a credentials file with restricted permissions:

# Create and secure the credentials file
touch /etc/letsencrypt/credentials.ini
chmod 600 /etc/letsencrypt/credentials.ini

Edit the credentials file and add your API token:

# /etc/letsencrypt/credentials.ini
dns_dnsprivacy_token = YOUR_API_TOKEN

Replace YOUR_API_TOKEN with the actual token from your dashboard.

Obtaining Certificates

Standard Certificate

For a standard domain certificate:

certbot certonly \
  --authenticator dns-dnsprivacy \
  --dns-dnsprivacy-credentials /etc/letsencrypt/credentials.ini \
  --dns-dnsprivacy-authoritative-domain example.com \
  --dns-dnsprivacy-propagation-seconds 60 \
  -d example.com

Wildcard Certificate

For a wildcard certificate:

certbot certonly \
  --authenticator dns-dnsprivacy \
  --dns-dnsprivacy-credentials /etc/letsencrypt/credentials.ini \
  --dns-dnsprivacy-authoritative-domain example.com \
  --dns-dnsprivacy-propagation-seconds 60 \
  -d example.com -d *.example.com

Multiple Subdomains

For multiple specific subdomains:

certbot certonly \
  --authenticator dns-dnsprivacy \
  --dns-dnsprivacy-credentials /etc/letsencrypt/credentials.ini \
  --dns-dnsprivacy-authoritative-domain example.com \
  --dns-dnsprivacy-propagation-seconds 60 \
  -d example.com -d www.example.com -d mail.example.com

Plugin Options Explained

  • --authenticator dns-dnsprivacy: Specifies our plugin as the authentication method
  • --dns-dnsprivacy-credentials: Path to your credentials file
  • --dns-dnsprivacy-authoritative-domain: The zone name in your DNS Privacy account
  • --dns-dnsprivacy-propagation-seconds: How long to wait for DNS changes to propagate (default: 60)

Automating Renewal

Certbot automatically creates a renewal configuration based on your initial certificate request. To test the renewal process:

certbot renew --dry-run

If the dry run is successful, your certificates will automatically renew when needed.

Integration with Web Servers

Nginx

Update your Nginx configuration to use the Let’s Encrypt certificates:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Other SSL settings recommended for security
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

    # Your site configuration
}

Apache

Update your Apache configuration:

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

    # Your site configuration
</VirtualHost>

Troubleshooting

DNS Propagation Issues

If you encounter errors during validation:

  1. Increase the propagation wait time:

    --dns-dnsprivacy-propagation-seconds 120
    
  2. Verify your domain is correctly configured in the DNS Privacy dashboard

API Token Issues

If you see authentication errors:

  1. Verify your API token in the credentials file is correct
  2. Ensure the token has DNS Management permissions
  3. Check that the credentials file has the correct permissions (600)

Zone Detection Problems

If Certbot can’t find your zone:

  1. Make sure you’re using the correct --dns-dnsprivacy-authoritative-domain parameter
  2. Verify that the domain is properly set up in your DNS Privacy dashboard

Security Best Practices

  1. Store your credentials file outside web-accessible directories
  2. Set restrictive file permissions: chmod 600 /etc/letsencrypt/credentials.ini
  3. Consider using a dedicated API token just for Let’s Encrypt operations
  4. Regularly audit your API tokens in the DNS Privacy dashboard

Our use of cookies
We use a session cookie to maintain your login state when you create an account with us. This cookie is essential for the operation of our website and is used solely for authentication purposes. For more information, please read our privacy policy.