Introduction
In order to help users encrypt traffic to your server, you need a valid TLS/SSL certificate. Let’s Encrypt is an organization which issues such certificates for free. However, you have to prove ownership over the domain, for which you want the certificate. This tutorial guides you through getting a wildcard certificate for your domain, while using the Hetzner DNS service and its API.
The route this tutorial takes is one of many. Depending on your personal preference you may also like to take a look at this project: https://github.com/ctrlaltcoop/certbot-dns-hetzner
Prerequisites
You need the following things to get started:
- A server
- A Domain:
<example.com> - Your Domain is set up to use the Hetzner DNS service (not covered here)
This tutorial assumes you are using Ubuntu 18.04 or 20.04, however this should also work on other Linux systems.
Step 1 – Install Dependencies
We will make use of curl, jq and certbot. You need to install those:
apt update
apt install curl jq certbotAdditionally we also need some glue between certbot and Hetzner’s DNS API:
curl https://raw.githubusercontent.com/dschoeffm/hetzner-dns-certbot/master/certbot-hetzner-auth.sh > /usr/local/bin/certbot-hetzner-auth.sh
curl https://raw.githubusercontent.com/dschoeffm/hetzner-dns-certbot/master/certbot-hetzner-cleanup.sh > /usr/local/bin/certbot-hetzner-cleanup.sh
chmod +x /usr/local/bin/certbot-hetzner-auth.sh
chmod +x /usr/local/bin/certbot-hetzner-cleanup.shStep 2 – Acquire API Token
In order to talk to the Hetzner DNS API, we need an authorization token. You can create one on the Hetzner DNS website: https://dns.hetzner.com/settings/api-token.
For this tutorial, we will assume the token is LlGoDUQ39S6akqoav5meAsv5OIpeywhj.
Save the token to /etc/hetzner-dns-token:
echo LlGoDUQ39S6akqoav5meAsv5OIpeywhj > /etc/hetzner-dns-tokenStep 3 – Get Certificate
At this point, we can request a certificate from Let’s Encrypt:
certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /usr/local/bin/certbot-hetzner-auth.sh --manual-cleanup-hook /usr/local/bin/certbot-hetzner-cleanup.sh -d <example.com> -d *.<example.com>Step 4 – Install Certificate
After having acquired a freshly baked TLS/SSL certificate, you will also want to put it to use. For example in a web server, or a mail server. This however is not covered here.
Conclusion
We created a Hetzner DNS API token and used domain validation to request a wildcard certificate, which covers the domain, as well as all subdomains.
Reprint:https://community.hetzner.com/tutorials/letsencrypt-dns
Leave a Reply