Wiki: LetsEncrypt DNS-01 (Hostpoint)
TL;DR
- Wildcards require DNS-01.
- Hostpoint TXT name should be
_acme-challenge.test(zone suffix is added). - TTL 300s; allow 15-30 minutes for propagation.
Why DNS-01
HTTP-01 only validates a single host. DNS-01 proves control of the zone and supports *.example.com.
Hostpoint TXT Record
- Type:
TXT - Name:
_acme-challenge.test - Value: token from Certbot
- TTL:
300
Certbot (Docker)
docker run -it --rm \
-v $PWD/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --manual --preferred-challenges dns \
-d "*.test.privsec.ch" -d "test.privsec.ch"
Certbot (docker-compose)
version: "3"
services:
certbot:
image: certbot/certbot
container_name: certbot
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./varlibletsencrypt:/var/lib/letsencrypt
command: certonly --manual --preferred-challenges dns -d "*.test.privsec.ch" -d "test.privsec.ch"
Verify DNS
dig TXT _acme-challenge.test.privsec.ch @1.1.1.1 +short
nslookup -type=TXT _acme-challenge.test.privsec.ch 8.8.8.8
NGINX Wiring
ssl_certificate /etc/letsencrypt/live/test.privsec.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.privsec.ch/privkey.pem;
Notes
- Always quote the wildcard:
-d "*.test.privsec.ch". - Manual DNS-01 needs renewal every ~90 days unless automated.