Checking Let’s Encrypt® SSL Certificates

To make your website available over HTTPS, you can use an SSL certificate, such as the free certificate by Let’s Encrypt® Certification Authority.

Let’s Encrypt® certificates are valid for 90 days from the date of issue. To issue a certificate, you need to pass validation, i.e. demonstrate your control over the domain name. We recommend automatically renewing your certificates every 60 days.

There are two types of validation: HTTP (by placing a file on the server) and DNS (via TXT-record). In the instructions, we consider DNS-01 challenge.

If your domain name is delegated to Selectel’s NS servers (Selectel is your DNS provider), you can validate the right to the domain using the DNS hosting service. Selectel provides a DNS records management API that you can use to automate certificate reissue.

How DNS-01 Domain Challenge Works

This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It also allows you to issue Wildcard certificates.

After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key of the following form:

_acme-challenge.yourdomain.com TXT <token>

Then Let’s Encrypt will query the TXT record in the DNS zone of the domain name. If the entry is added and the values match, the certificate will be issued.

Examples of script that can be used to automate certificate reissue via DNS-01 protocol, working with Selectel DNS API:Please note! The scripts should be run at least once every 90 days, preferably once every 60 days.

Please note that the scripts should be run at least once every 90 days, preferably once every 60 days.

You can also manually issue and renew the certificate — this will require manual TXT entry in the Control panel. Please note that using DNS API is preferred.

Automatically Issuing Certificates with acme.sh

To automatically issue a certificate with acme.sh:

  1. Install acme.sh.
  2. Get the API key.
  3. Pass the API key to the SL_Key variable:

    export SL_Key="<token>"
  4. Issue the certificate:

    acme.sh --issue --dns dns_selectel -d yourdomain.com -d www.yourdomain.com

    The SL_Key value will be stored in ~/.acme.sh/account.conf

Automatically Issuing Certificates with lego

To automatically issue a certificate with lego:

  1. Install lego.
  2. Get the API key.
  3. Pass the API key to the SELECTEL_API_TOKEN variable:

    export SELECTEL_API_TOKEN=<token>
  4. Issue the certificate:

    lego --email email@yourdomain.com --dns selectel --domains yourdomain.com run

Automatically Issuing Certificates with dehydrated

To automatically issue a certificate with dehydrated:

  1. Get the API key.
  2. Pass the API key to the SELECTEL_TOKEN variable:

    export SELECTEL_TOKEN=<token>
  3. Issue the certificate by running the hook.sh script.

Manually Issuing Certificates with acme.sh

When issuing a certificate manually, you need to add a TXT entry in the Control panel. When renewing the certificate, the entry must also be updated manually.

  1. Issue the certificate:

    acme.sh --issue -d yourdomain.com --dns \
    --yes-I-know-dns-manual-mode-enough-go-ahead-please
  2. Add a TXT entry in the Control panel. This is required every time you renew your certificate.

  3. Wait about a minute for the DNS records to be updated. Then run the following command:

    acme.sh --renew -d yourdomain.com \
    --yes-I-know-dns-manual-mode-enough-go-ahead-please