I have a 10 domain small business account with DnsMadeEasy. I was attempting to install letsencrypt on Ubuntu. The instructions stated I needed my API key from DnsMadeEasy.

I logged into my account and could not find it so I emailed support. I was told that I needed to get a Business DNS package which costs $95.00 a year! My "small business" account does not qualify.

Is this true, that the SSL cert is free, but still going to cost me $100.00 to get the cert?

Am I missing something?

Let's Encrypt does not charge for certificates. I looked at DnsMadeEasy and they definitely do charge for API access. Usually there's at least a basic free API, or some other way to automate certificates.

Do you need to use the DNS challenge? Let's Encrypt can validate over HTTP, although to get a wildcard you'll need to use the DNS challenge.

Alternatively you could manually enter the TXT record every 90 days, although I don't recommend adding any manual steps to certificates. I personally use Cloudflare DNS which does not charge for API access.

So...
Are you forced to use DnsMadeExpensiveEasy?

I will have to research what a DNS challenge is, :(. but, probably not. Just installed Ubuntu to learn and play. I will need a wildcard SSL As I will be putting up a mail server.

Thank you for the suggestion for cloudflare dns, I sent them an email looking for more information thank you...

No I do not need to use them, I have just been using them for 10 years. I don't have any problems with changing I just can't believe that you need to pay for an API, $100 at that. Thank you
And I liked your pun or DNS made expensive.

I'm not aware of anything in a standard mail server that would require using a wildcard cert. Can you elaborate why you think you need a wildcard cert for your mail server?

You can use a free acme dns service from https://myaddr.tools

More info at https://addr.tools

A subdomain off the primary domain. Webserver: domainname.com and mail server with web login: webmail.domainname.com (multiple sub domain names with single SSL certificate) With the above I assumed I needed to get a wildcard ssl cert.. Yes?

Thank you...

I will check this out.

Thank you...

No, for just one or a few (up to 100) subdomains you could simply get a certificate containing multiple hostnames. That's not the same as a wildcard certificate.

Interesting, I was not aware of this, thank you. Based on your reply, I found this info on LE. Now I just need to get the API:

"You can combine multiple hostnames into a single certificate, up to a limit of 100 Names per Certificate. For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate."

If you know at the outset what domains you want to be included in the certificate, it’s not necessary to edit any configuration files. Instead, you can specify the domains on the command line when you first run certbot. For example, you might run something like

certbot-auto -d one.example.com -d two.example.com -d three.example.com -d example.org

This will request a certificate covering all of those names. When renewing the certificate with certbot-auto renew, it will be replaced with a new certificate that still covers all of the names.

Note that there is no such thing as certbot -auto any longer, it's just certbot now.

Why? You only need API access if you need to make automated updates to your DNS records, and you only need to do that if either (1) you need a wildcard cert (which it seems you don't), or (2) you need to get a cert for a server that isn't accessible from the Internet.

If you do need one of those things, then you'll (effectively) need API access--you could always get along with making manual updates to the DNS records whenever you get or renew a cert, but that's not the way Let's Encrypt is intended to be used. There are several ways in which you could accomplish this, including (in no particular order):

• Pay the $100 to DNSMadeExpensive
• Move your DNS hosting to another DNS host who's less user-hostile--Cloudflare is pretty popular (I've been entirely satisfied with their service), it's free for DNS service (with no cost for API access), and gives you plenty of bells and whistles (at additional cost) if you want or need them. But Cloudflare certainly isn't the only option out there; there are dozens of DNS hosts with API access.
• Host your own limited DNS server whose only function is to serve the challenge tokens using acme-dns.
• Use acme-dns' hosted service--not really how it was intended to be used, but nothing prevents you from using their service that way.
• Use challenges.addr.tools much as you would acme-dns

Bottom line:

Best is for OP is to use the http-01 challenge so it wouldn't cost them anything.

Or just switch to Cloudflare, it's free.

But if the dns-01 challenge isn't necessary, why change? There might be other, non-certificate related, reasons to change away from DNSMadeExpensive (), but in this case I don't think the certificate is one.

I did change the DNS to Cloudflare, will test that out. Was able to get the API.

Thank you everyone, much appreciated.

If this all works out and saves you $100/year...
You might want to think about donating something to LE for all that they provide.
Donate - Let's Encrypt (letsencrypt.org)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.