It’s that time of the year to renew my certificate. In my Renew certificate 2017 edition post I wrote about switching to another source, that now has reached the end of the 3 free certificates. Time to switch again 🙄

A quick google directed me to https://letsencrypt.org. They are funded by companies and provide certificates for free. Use of certbot (https://certbot.eff.org) is advised and what I’ve used.

I’m using the docker version of certbot in manual mode. In the terminal line below I start the container, mount ~/workspace/certbot and provide the commandline options:

docker run -it --rm --name certbot -v "/Users/Eric/workspace/certbot:/etc/letsencrypt" -v "/Users/Eric/workspace/certbot/lib:/var/lib/letsencrypt" certbot/certbot certonly --manual --preferred-challenges dns

This starts a ‘conversation’ that creates a certificate in manual mode with verification with ‘_acme-challenge’. The _acme-challenge provides a random string that I must put in my domain dns as TXT-record:

In my ~/workspace/certbot a lot of folders are created and one is called ‘live’. The live folder contains a folder with the domain name with inside the certificate and private key. Synology accepts the privkey.pem and cert.pem. No need to provide the intermediate certificatie.

Next time I should be able to use commandline option ‘renew’ and all certificates will be renewed. Will update this post when that happens 😉

[edit] The renew option didn’t work. I get errors on the authentication. So I keep using the method above. During this manual renewal I discovered a handy commandline to check the TXT-Record is updated:

nslookup -type=TXT _acme-challenge.YOUR_DOMAIN_HERE