Config Server Firewall

How to get a Let's Encrypt Certificate before DNS is moved (DNS-01 validation)

Letsencrypt issue certificate via an automated process with minimal user interaction. This is done by using an ACME client software like certbot. In order to obtain a certificate, you need to prove the ownership of the domain name which the certificate is requested.

By Default certbot client check whether the website is hosted on the same server where the certificate request was made. So in order to obtain a certificate, DNS records should pre exist, pointing your domain name to the server where you going to install the SSL certificate.

Problem: Install a Letsencrypt before the DNS is moved

For example, let us assume that your domain name example.com is hosted at server1. Now you're planning to move your website to the server2 and you want to install a Letsencrypt certificate on server2 before updating the DNS record.

Letsencrypt DNS validation will be failed at server2, because DNS still pointing to the server1.

Solution: DNS-01 validation

The solution is to validate your domain name using the manual method by adding a TXT record (DNS-01 validation).

An example request made with manual method would look like:

certbot certonly -d www.example.com --manual --preferred-challenges dns

Once you run the command, you will receive the instructions on how to setup TXT record:

Please deploy a DNS TXT record under the name
_acme-challenge.www.example.com with the following value:

n6nbkIiwOgS5qyGcF7qbOCgueS1ZjmZrihDrghgSpmQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Now go to your DNS control panel (provided by your domain name registrar or your DNS service provider, for example cloudflare) and add a TXT record as instructed by the certbot.

Once the DNS record has been updated, Press Enter to Continue and obtain the fee SSL certificate.

Note that The manual plugin only works with certonly option, thus certbot will not configure an HTTPS virtual host for your apache/nginx web server.

A sample HTTPS virtual host file for apache web server would look like:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog "logs/example.com-error_log"
    CustomLog "logs/example.com-access_log" combined
    SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>