Let's Encrypt DNS-01 challenge using Glesys API and Dehydrated

Let’s Encrypt has released a type of challenge to verify that you are truly the owner of the domain for which you have created a certificate. This challenge does not require you to use a web server for verification; instead, it is entirely based on having access to create DNS records for the domain.

This guide shows how you can use the GleSYS API for this purpose.

Setting up Dehydrated and issuing a certificate

You will need to install cURL and XMLStarlet if you don’t already have these packages installed.

sudo apt-get install curl xmlstarlet

sudo yum install curl xmlstarlet

Next, enter the working directory /etc/ssl/private.

cd /etc/ssl/private/

If, for some reason, the directory does not exist, you create it using the following command.

mkdir /etc/ssl/private && chmod 700 /etc/ssl/private

The next step is to create environment variables (envvars) that contain the API references. Log in to Glesys Cloud and click on your profile in the upper‑right corner. Choose Control API access, then click the green Create button. In the Create API Key window that opens, select the project for which the key should be created and give it a name. In this case, the description is set to letsencrypt.

In the image below, you can see that an API key with no permissions has been created with the ID 0JSmAiYu3l0ZGCNAOa15jWOP7OXKFIidk47RVElQ. This key is unique to this example; the key that was generated for you will differ.

To specify which IP address or domain is allowed to use the API key, click Actions and then select Access.

When you click Add, the changes take effect immediately. Press Close when you’re done.

Next, we’ll grant the API key permission to edit domains. Click Actions and select Permissions.

In the Permissions for API-key window that opens, select Allowed for the Domain row. Finish by clicking Save.

Now it’s time to start using the API key you created, and you do that by running the commands:

• Replace CL12345 with the identifier of the project for which you created the key.

• Replace ABCDE12345 with the key you generated. In our example, it is 0JSmAiYu3l0ZGCNAOa15jWOP7OXKFIidk47RVElQ.

Download Dehydrated together with the example configuration and our hook script from GitHub:

Edit the config file and enter the values as shown below (but make sure to use you're own email address). Be sure to remove the comment symbols (the # characters) at the beginning of each line. Also, delete the line CONFIG_D=/etc/dehydrated/conf.d from the file since this isn't used in this case. A complete and fully working config file is shown below.

Dehydrated uses domains.txt by default to manage the domains for which it should create or update certificates. The syntax of the file looks like this:

This will create two certificates. One certificate for example.net with the alternative name www.example.net and another certificate for example.se with the alternative name dev.example.se.

In our example, we want to add the domain example.com. With the following command, we write to domains.txt:

You also need to set permissions on the files you created so that they can only be accessed by the root user. You do this with the following command:

If this is the first time you use Dehydrated with Let's Encrypt on this server, you first need to accept Let's Encrypt's terms of service. You do this using the following command:

This will output something similar to this:

Finally, we run Dehydrated with the -c flag to generate the certificates for our domain:

The output will look similar to this:

It’s all done now, and you can find the certificates in the directory /etc/ssl/private/certs/.

Apache usage example

To use the certificates with your Apache 2 web server, add the following to its configuration:

Automatically renew the certificate

A free SSL certificate from Let’s Encrypt is only valid for 90 days. To auto‑renew the certificate at 00:00 (midnight) every Saturday, you can use the following cron job (edit the crontab using crontab -e):