Using with Let's Encrypt
The UK DNS Privacy Project service integrates seamlessly with Let’s Encrypt through our official Certbot plugin, certbot-dns-dnsprivacy
. This plugin automates the process of creating and validating DNS TXT records for domain validation, making it easy to obtain and renew TLS certificates.
Why Use DNS-01 Challenge?
The DNS-01 challenge offers several advantages over HTTP-01:
-
Support for wildcard certificates: Create certificates for
*.yourdomain.com
- No public ports required: Perfect for servers behind firewalls
- Ideal for internal servers: Validate domains without public internet access
- Consistent renewal: Automate certificate renewal without service disruption
Prerequisites
Before you begin, make sure you have:
- A domain managed by UK DNS Privacy Project authoritative DNS
- An API token from your UK DNS Privacy Project dashboard
- Python and Certbot installed on your system
Installing the Plugin
Install the certbot-dns-dnsprivacy
plugin using pip:
pip install certbot-dns-dnsprivacy
Creating API Credentials
- Log in to your UK DNS Privacy Project dashboard
- Navigate to Account > API Tokens
- Create a new token with the “DNS Management” permission
- Copy your token to a secure location
Next, create a credentials file with restricted permissions:
# Create and secure the credentials file
touch /etc/letsencrypt/credentials.ini
chmod 600 /etc/letsencrypt/credentials.ini
Edit the credentials file and add your API token:
# /etc/letsencrypt/credentials.ini
dns_dnsprivacy_token = YOUR_API_TOKEN
Replace YOUR_API_TOKEN
with the actual token from your dashboard.
Obtaining Certificates
Standard Certificate
For a standard domain certificate:
certbot certonly \
--authenticator dns-dnsprivacy \
--dns-dnsprivacy-credentials /etc/letsencrypt/credentials.ini \
--dns-dnsprivacy-authoritative-domain example.com \
--dns-dnsprivacy-propagation-seconds 60 \
-d example.com
Wildcard Certificate
For a wildcard certificate:
certbot certonly \
--authenticator dns-dnsprivacy \
--dns-dnsprivacy-credentials /etc/letsencrypt/credentials.ini \
--dns-dnsprivacy-authoritative-domain example.com \
--dns-dnsprivacy-propagation-seconds 60 \
-d example.com -d *.example.com
Multiple Subdomains
For multiple specific subdomains:
certbot certonly \
--authenticator dns-dnsprivacy \
--dns-dnsprivacy-credentials /etc/letsencrypt/credentials.ini \
--dns-dnsprivacy-authoritative-domain example.com \
--dns-dnsprivacy-propagation-seconds 60 \
-d example.com -d www.example.com -d mail.example.com
Plugin Options Explained
-
--authenticator dns-dnsprivacy
: Specifies our plugin as the authentication method -
--dns-dnsprivacy-credentials
: Path to your credentials file -
--dns-dnsprivacy-authoritative-domain
: The zone name in your DNS Privacy account -
--dns-dnsprivacy-propagation-seconds
: How long to wait for DNS changes to propagate (default: 60)
Automating Renewal
Certbot automatically creates a renewal configuration based on your initial certificate request. To test the renewal process:
certbot renew --dry-run
If the dry run is successful, your certificates will automatically renew when needed.
Integration with Web Servers
Nginx
Update your Nginx configuration to use the Let’s Encrypt certificates:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Other SSL settings recommended for security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
# Your site configuration
}
Apache
Update your Apache configuration:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# Your site configuration
</VirtualHost>
Troubleshooting
DNS Propagation Issues
If you encounter errors during validation:
-
Increase the propagation wait time:
--dns-dnsprivacy-propagation-seconds 120
-
Verify your domain is correctly configured in the DNS Privacy dashboard
API Token Issues
If you see authentication errors:
- Verify your API token in the credentials file is correct
- Ensure the token has DNS Management permissions
- Check that the credentials file has the correct permissions (600)
Zone Detection Problems
If Certbot can’t find your zone:
- Make sure you’re using the correct
--dns-dnsprivacy-authoritative-domain
parameter - Verify that the domain is properly set up in your DNS Privacy dashboard
Security Best Practices
- Store your credentials file outside web-accessible directories
- Set restrictive file permissions:
chmod 600 /etc/letsencrypt/credentials.ini
- Consider using a dedicated API token just for Let’s Encrypt operations
- Regularly audit your API tokens in the DNS Privacy dashboard