Configurig Let's Encrypt with DNS-01 challenge on Debian 10 Buster
While setting this up, I ran into a lot of issues with DNS service APIs not matching what was available in the buster repository and in other scripts that I tried. These are my notes on how to set up Let's Encrypt with a DNS-01 challenge, but the most important part is just knowing what works. I don't want to name the services and tools that didn't, as I expect they'll be updated soon, but as of this writing, if you want things to go quickly and easily, I recommend Cloudflare for DNS, certbot, and python3-certbot-dns-cloudflare.
You can create a Cloudflare account for free. Create a record for the domain for which you want to create a certificate. The domain I was configuring is only used internally, but certbot requires a pre-existing record, so I created a TXT record.
Install Certbot and the Cloudflare DNS plugin:
sudo apt update sudo apt install certbot python3-certbot-dns-cloudflare
Retrieve your Global API key from Cloudflare. The Cloudflare API supports tokens, but the current version of python3-certbot-dns-cloudflare in Buster does not.
# Cloudflare API credentials used by Certbot dns_cloudflare_email = firstname.lastname@example.org dns_cloudflare_api_key = 111111111111111111111111111111
Create the certificate:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /home/username/certbot/cloudflare.ini -d sub.domain.com
The certificate is saved to:
The key is saved to: