If you are using tinydns running on the same server as Apache, the following works well for me. This assumes you already have a virtual host already configured for your domain. This is on Centos 7.
I have logged into my server, via ssh, as myloginusername, then su root. (Of course, for security, ssh is configured to not allow ssh connection as root.)
On command line
certbot certonly -d example.com -d *.example.com
In /etc/letsencrypt/cli.ini
manual
server = https://acme-v02.api.letsencrypt.org/directory
rsa-key-size = 4096
preferred-challenges = dns
manual-auth-hook = /path/to/certbot-dns-auth.sh
manual-cleanup-hook = /path/to/certbot-dns-auth-cleanup.sh
In certbot-dns-auth.sh
#!/bin/bash
cd /etc/tinydns/root
cp -f data data-good
echo "'_acme-challenge.$CERTBOT_DOMAIN:$CERTBOT_VALIDATION:120" >> data
./update.sh
# Sleep to make sure the change has time to propagate over to DNS
sleep 25
In certbot-dns-auth-cleanup.sh
#!/bin/bash
cd /etc/tinydns/root
head -n -1 data > tmp; mv -f tmp data
./update.sh
Note: I have tinydns running on a second server. The file update.sh in /etc/tinydns/root is a bash script that runs “make” to update the data.cdb file, and uses rsync to copy data and data.cdb to the other server. How to do that is another topic. (If requested, I can upload detailed instructions on how to set it up.) If you are only concerned with the one instance of tinydns, replace “./update.sh” with “make”
However, for interest’s sake, here is the content of update.sh
#!/bin/sh
make
rsync -avz -e "ssh -i /home/fredmc/rsync_key/ws1-rsync-key" /etc/tinydns/root/data.cdb myloginname@ws2:/etc/tinydns/root
rsync -avz -e "ssh -i /home/fredmc/rsync_key/ws1-rsync-key" /etc/tinydns/root/data myloginname@ws2:/etc/tinydns/root
I have the IP address of ws2 in /etc/hosts
I tried using -i apache to have the Apache plugin install the certificates, but it didn’t do anything that I can find.
I had to manually update my Apache virtual host entries. I keep a separate file for each virtual host. This is what it looks like after my update:
<VirtualHost *:80>
ServerAdmin webmaster@example.com
DocumentRoot /path/to/http/www
ServerName example.com
ServerAlias *.example.com
# To automatically redirect to HTTPS
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot /path/to/http/www
ServerName example.com
ServerAlias *.example.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>
You probably have other lines in these entries.
This is for Apache < 2.4.8.
For Apache >= 2.4.8 change the lines starting with SSLCertificate… to
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
Do not include SLCertificateChainFile
The files update.sh, certbot-dns-auth.sh, and certbot-dns-auth-cleanup.sh must be executable.
I hope this helps someone.