Here are the instructions:

FIRST you have to install the certbot bin (if not yet installed) with:

apt install certbot

THEN you have to install the python script to make certbot working with dns:

cd /etc/letsencrypt

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

chmod +x acme-dns-auth.py

pico acme-dns-auth.py

The last command is to add the number "3" at first line (you can use you favourite editor) to ensure the last version of python is used:

#!/usr/bin/env python3

My domain is:

irc.example.com

I ran this command:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.example.com

in this example I'm issuing a jolly certificate for every subdomains of example.com, if you want to issue certificate only for a subdomain just change * with whatever, as here:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d whatever.example.com

My web server is (include version): none

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: eticoweb.it

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Well, I was lurking around for a solution to install a certificate against my irc server, which is a macmini 2011 running a Debian12.

I have total control on DNS record trough my provider, but I don't have fixed IP at home, so I have to instruct DNS to redirect irc.example.com to whatever.dyndns.org and update dinamically via router setup; this is mandatory because I just manage the DNS zone with my service provider, and the server machine is installed in SOHO environment, with no fixed IP, as said.

So, after issuing the command in the server's shell, the script pauses letting you time for adidng a CNAME record as per the instructions the certbot client give you, something like this:

_acme-challenge.irc.example.com

CNAME

da9f5cc8-9012-46d5-a9af-6a3b3946909c.auth.acme-dns.io.

Once you've added the DNS record, and saved changes, you can return to your shell and press enter to continue the cert installation.

At the end you'll have a certificate issued for your domain with no need of a webserver running

Hello @evanmac .. This post is interesting and yet I find myself curious why @joohoi would not post it himself?

Probably because the script is ancient and back in the day there probably has been a thread about it already.

Please don't use apt to install Certbot. It's often ancient and the recommended method of installing Certbot is using snap. See Certbot Instructions | Certbot for more information.

Further more I have a question: why not simply use the --standalone authenticator? It does not require a separate webserver like Apache or nginx. It does require an open port 80, but that usually doesn't really matter.

I searched in this forum but I found nothing to solve my problem

On my distro (debian 12) I ever used apt to install package, and until now I had zero problems

Because I run an instance of nextcloud on the same machine and I don't want to mess thing, or modify nginx conf files

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.