Home / Tutorials / Install SSL certificate with DNS TXT record

Install SSL certificate with DNS TXT record


Here is the command to install Let’s Encrypt SSL certificate with certbot and DNS challenge a.k.a. acme-challenge.

sudo certbot certonly --manual --preferred-challenges dns -d example.com

You’ll be prompted to add an TXT record for the desired domain.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

After that you have to point the path to the certificates on the web server configuration for the domain. For nginx on Debian/Ubuntu:

server {
    listen 443 ssl http2;
    ...
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ...
}

Or Apache:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
    ...
</VirtualHost>

Important: Certificates that are created using --manual (and without an authentication hook) cannot be automatically renewed.