Install SSL certificate with DNS TXT record

Here is the command to install Let’s Encrypt SSL certificate with certbot and DNS challenge a.k.a. acme-challenge.

sudo certbot certonly --manual --preferred-challenges dns -d example.com

You’ll be prompted to add an TXT record for the desired domain.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

After that you have to point the path to the certificates on the web server configuration for the domain. For nginx on Debian/Ubuntu:

server {
    listen 443 ssl http2;
    ...
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ...
}

Or Apache:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
    ...
</VirtualHost>

Important: Certificates that are created using --manual (and without an authentication hook) cannot be automatically renewed.