Skip to content

Creating an SSL Certificate with Let’s Encrypt

In some cases, SSL certificates are required not only for external access to services but also for internal systems. This guide describes the procedure for manually issuing a certificate using the Let's Encrypt service.

General Information

  • The procedure is performed manually using DNS verification.
  • Commands can be executed on any Linux host; it is not required to run them on the target server.
  • The same procedure is used for certificate renewal.
  • Before renewal, the old DNS verification record must be removed.

Installing Certbot

Update the package list and install Certbot:

sudo apt update
sudo apt install certbot -y

Issuing a Certificate

As an example, we will create a certificate for the domain:

Domain example
host1.acc1.at.loc.icdc.io

Run the following command:

certbot certonly --manual --preferred-challenges dns -d host1.acc1.at.loc.icdc.io

What this command does:

  • Requests a certificate from Let's Encrypt.
  • Uses manual DNS validation (DNS challenge) to verify domain ownership.
  • Requires sudo privileges since certificates are stored in a protected directory.

Domain Ownership Verification

During execution:

  1. Enter your email address (used for expiration notifications).
  2. Accept the terms of service.

After that, you will see a prompt to create a DNS TXT record:

Output example
Please deploy a DNS TXT record under the name:

_acme-challenge.host1.acc1.at.loc.icdc.io

with the following value:

2C8LVlCCLEyR-ZPMUwOD0kOl1gRo2ArKpYxDdc364-U

DNS Configuration

Add a TXT record in DNS Networking:

Record name and value (example)

_acme-challenge.host1.acc1.at.loc.icdc.io

2C8LVlCCLEyR-ZPMUwOD0kOl1gRo2ArKpYxDdc364-U

Verifying the DNS Record

Before proceeding, make sure the DNS record has been successfully propagated.

  1. You can use online tools for verification, for example: Google Admin Toolbox Dig

  2. You can also verify via the console: 

    host -t TXT _acme-challenge.host1.acc1.at.loc.icdc.io 8.8.8.8

Ensure that the response contains the TXT record with the expected value.

After verification, return to the console and press Enter to continue. Certbot will complete the process and issue the certificate.

After successful execution, you will see a message like:

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/host1.acc1.at.loc.icdc.io/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/host1.acc1.at.loc.icdc.io/privkey.pem
This certificate expires on 2026-02-09.

Verifying the Certificate

sudo openssl x509 -in /etc/letsencrypt/live/host1.acc1.at.loc.icdc.io  
/fullchain.pem -noout -issuer -subject -dates
Example Output
issuer=C = US, O = Let's Encrypt, CN = R13
subject=CN = host1.acc1.at.loc.icdc.io
notBefore=Nov 11 06:13:47 2025 GMT
notAfter=Feb  9 06:13:46 2026 GMT

Certificate Renewal

To renew the certificate, repeat the same command before it expires.

Important

Before renewal, remove the DNS TXT record used for verification.