Using Certbot with DNS Made Easy

September 10, 2018

Let’s Encrypt (LE) is an awesome project and a boon for the entire internet community. Not only have they made HTTPS accessible to everyone, but the whole process of creating and renewing certs is much more user-friendly and thought-through than any commercial certificate authority I’ve dealt with in the past.

But

If you’ve ever had to manage a larger number of certs, for different services, you may have noticed that the default challenge and verification method on FreeBSD, when using nginx (webroot) can become a bit messy and fragile. Creating virtual hosts or modifying old ones in nginx may introduce changes that break certbot, different web app backends might need slightly different configs (e.g. static pages vs a PHP-base webmail vs Django apps) and bugs in the agent itself make it difficult to automate the process reliably.

Luckily, the webroot plugin is just one of the many methods for provisioning certs:

$ pkg search py36-certbot
py36-certbot-0.22.2,1          Let's Encrypt client
py36-certbot-apache-0.22.2     Apache plugin for Certbot
py36-certbot-dns-cloudflare-0.22.2 Cloudflare DNS plugin for Certbot
py36-certbot-dns-cloudxns-0.22.2 CloudXNS DNS Authenticator plugin for Certbot
py36-certbot-dns-digitalocean-0.22.2 DigitalOcean DNS Authenticator plugin for Certbot
py36-certbot-dns-dnsimple-0.22.2 DNSimple DNS Authenticator plugin for Certbot
py36-certbot-dns-dnsmadeeasy-0.22.2 DNS Made Easy DNS Authenticator plugin for Certbot
py36-certbot-dns-google-0.22.2 Google Cloud DNS Authenticator plugin for Certbot
py36-certbot-dns-luadns-0.22.2 LuaDNS Authenticator plugin for Certbot
py36-certbot-dns-nsone-0.22.2  NS1 DNS Authenticator plugin for Certbot
py36-certbot-dns-rfc2136-0.22.2 RFC 2136 DNS Authenticator plugin for Certbot
py36-certbot-dns-route53-0.22.2 Route53 DNS Authenticator plugin for Certbot
py36-certbot-nginx-0.22.2      NGINX plugin for Certbot

I’ve been using DNS Made Easy for all my DNS hosting for a few years now and decided to give their plugin a shot. It worked really well, sidestepping all the issues I had run into with the webroot plugin, so here’s a short howto on setting that up. These instructions will work even if you’re renewing from webroot - based challenges.

{Install|configur}ation

Let’s start by installing the DNS Made Easy certbot plugin. I prefer to use the Python 3.6 version - just substitute with py27-certbot-dns-dnsmadeeasy if you’re still in v2.

sudo pkg install py36-certbot-dns-dnsmadeeasy

Go to https://cp.dnsmadeeasy.com/account/info, check the Generate New API Credentials and hit Save. You should now see some random strings after the API Key: and Secret Key: labels. Let’s put those credentials into /usr/local/etc/letsencrypt/dnsmadeeasy.conf:

# /usr/local/etc/letsencrypt/dnsmadeeasy.conf
# DNS Made Easy API credentials used by Certbot
dns_dnsmadeeasy_api_key = supersecret
dns_dnsmadeeasy_secret_key = supersecreter

Those credentials give access to your entire DNS configuration, so let’s make sure only root can read them, shall we?:

sudo chmod 0400 /usr/local/etc/letsencrypt/dnsmadeeasy.conf

Finally, let’s request the certs:

$ sudo certbot-3.6 certonly --dns-dnsmadeeasy -d www.example.com -d mail.example.com -d example.com --dns-dnsmadeeasy-credentials /usr/local/etc/letsencrypt/dnsmadeeasy.conf
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-dnsmadeeasy, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for www.example.com
dns-01 challenge for mail.example.com
dns-01 challenge for example.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

Don’t forget to also reload nginx for the new certs to take effect immediately:

sudo service nginx reload

If you want to make absolutely sure everything is kosher, go check your web server with SSL Labs’ SSL Server Test. While you’re waiting for the results, go check out the certbot plugin’s documentation which is refereshingly succinct.

That’s it! Now you have an out-of-band Certbot setup that you can safely certbot renew without breaking it every time you make changes to your nginx virtualhosts. Even if you don’t use DNS Made Easy, I highly recommend looking into some of the alternative Certbot challenge methods.