Let's Encrypt DNS-01 challenge using Glesys API and Dehydrated
By using the Glesys API and a small program called Dehydrated, it's possible to acquire SSL certificates using Let's Encrypt using a DNS challenge instead of a web server.
Let’s Encrypt has released a type of challenge to verify that you are truly the owner of the domain for which you have created a certificate. This challenge does not require you to use a web server for verification; instead, it is entirely based on having access to create DNS records for the domain.
This guide shows how you can use the GleSYS API for this purpose.
Setting up Dehydrated and issuing a certificate
You will need to install cURL and XMLStarlet if you don’t already have these packages installed.
For Debian and Ubuntu, use the following command to install the packages:
sudo apt-get install curl xmlstarletFor CentOS and AlmaLinux, use the following command (requires EPEL):
sudo yum install curl xmlstarletFor more information about EPEL, see the EPEL Wiki.
All commands you are going to run from this point must be executed as root. To avoid having to type sudo for every command, switch to a root login shell using sudo -i. All commands executed after this command will then be executed as root, until you run exit.
Next, enter the working directory /etc/ssl/private.
cd /etc/ssl/private/If, for some reason, the directory does not exist, you create it using the following command.
mkdir /etc/ssl/private && chmod 700 /etc/ssl/privateThe next step is to create environment variables (envvars) that contain the API references. Log in to Glesys Cloud and click on your profile in the upper‑right corner. Choose Control API access, then click the green Create button. In the Create API Key window that opens, select the project for which the key should be created and give it a name. In this case, the description is set to letsencrypt.

In the image below, you can see that an API key with no permissions has been created with the ID 0JSmAiYu3l0ZGCNAOa15jWOP7OXKFIidk47RVElQ. This key is unique to this example; the key that was generated for you will differ.
To specify which IP address or domain is allowed to use the API key, click Actions and then select Access.

When you click Add, the changes take effect immediately. Press Close when you’re done.

Next, we’ll grant the API key permission to edit domains. Click Actions and select Permissions.

In the Permissions for API-key window that opens, select Allowed for the Domain row. Finish by clicking Save.

Now it’s time to start using the API key you created, and you do that by running the commands:
Replace
CL12345with the identifier of the project for which you created the key.Replace
ABCDE12345with the key you generated. In our example, it is0JSmAiYu3l0ZGCNAOa15jWOP7OXKFIidk47RVElQ.
Download Dehydrated together with the example configuration and our hook script from GitHub:
Edit the config file and enter the values as shown below (but make sure to use you're own email address). Be sure to remove the comment symbols (the # characters) at the beginning of each line. Also, delete the line CONFIG_D=/etc/dehydrated/conf.d from the file since this isn't used in this case. A complete and fully working config file is shown below.
Dehydrated uses domains.txt by default to manage the domains for which it should create or update certificates. The syntax of the file looks like this:
This will create two certificates. One certificate for example.net with the alternative name www.example.net and another certificate for example.se with the alternative name dev.example.se.
In our example, we want to add the domain example.com. With the following command, we write to domains.txt:
You also need to set permissions on the files you created so that they can only be accessed by the root user. You do this with the following command:
If this is the first time you use Dehydrated with Let's Encrypt on this server, you first need to accept Let's Encrypt's terms of service. You do this using the following command:
This will output something similar to this:
Finally, we run Dehydrated with the -c flag to generate the certificates for our domain:
The output will look similar to this:
It’s all done now, and you can find the certificates in the directory /etc/ssl/private/certs/.
Apache usage example
To use the certificates with your Apache 2 web server, add the following to its configuration:
Automatically renew the certificate
A free SSL certificate from Let’s Encrypt is only valid for 90 days. To auto‑renew the certificate at 00:00 (midnight) every Saturday, you can use the following cron job (edit the crontab using crontab -e):
Last updated
Was this helpful?