Automated Let's Encrypt with DNSimple
Automating SSL certificate generation with Let's Encrypt CA and DNSimple

Let’s Encrypt (LE) is a Certificate Authority that allows you to generate SSL certificates for free. Current limitations:

  • Expires after 3 months
  • No wildcard support for subdomains

The reason LE limits the expiration time to 3 months is to encourage the frequent cycling of certificates through automation.

DNSimple’s Simone Carletti wrote a small program that allows you to easily generate free SSL certificates using the ACME protocol, along with the DNSimple API. The program is natively compiled and doesn’t require a runtime like Ruby, Python or Java to be present on your machine.

I’ve forked his program and added the ability to specify the --out PATH option, allowing you to optionally specify an additional path to write the full chain and private key to (easier for automation). We’ll be using the fork for this guide.

Requirements

You’ll need the following:

  • DNSimple account
  • A domain managed by DNSimple
  • Linux server (32-bit or 64-bit)

For the purpose of this guide I’ll be using Ubuntu 14.04 along with the NGINX web server, but you can use whatever you’re working with.

Installation

Download either the 32-bit or 64-bit Linux binary to your server and place it wherever you want. I’ll place it in /usr/local/bin/letsencrypt-dnsimple.

1
2
3
4
wget https://github.com/mrrooijen/letsencrypt-dnsimple/releases/download/v0.0.0/letsencrypt-dnsimple-amd64.tar.gz
tar xvzf letsencrypt-dnsimple-amd64.tar.gz
mv ./letsencrypt-dnsimple /usr/local/bin/
rm letsencrypt-dnsimple-amd64.tar.gz

Create a new file called run-letsencrypt-dnsimple with the following contents, and place it wherever you want. I’ll place it in /usr/local/bin/run-letsencrypt-dnsimple.

1
2
3
4
5
6
7
8
9
10
11
#! /bin/sh

/usr/local/bin/letsencrypt-dnsimple              \
  -api-key 1234567890                            \
  -user    me@example.com                        \
  -email   me@example.com                        \
  -out     /etc/nginx/ssl                        \
  -url     https://acme-v01.api.letsencrypt.org/ \
  example.com,www.example.com

service nginx reload
API_KEY Your DNSimple API (v1) key
USER Your DNSimple email address
EMAIL Used by LE. You can set this to the same value as -user.
URL The LE API URL. Use https://acme-v01.api.letsencrypt.org/ for production runs. Omit this option for dry runs.
OUT Optionally to specify where you want the two generated files to be written, for example -out /etc/nginx/ssl would generate privkey.pem and fullchain.pem in /etc/nginx/ssl.
ARGV Specify a list of domains you want to use the certificate with, separated by commas.

Once you’re finished configuring the shell script, make it executable.

1
chmod a+x /usr/local/bin/run-letsencrypt-dnsimple

First, perform a dry run to see if the script works. Omit the -url option in your script, then execute the script /usr/local/bin/run-letsencrypt-dnsimple.

Once you’ve confirmed that it works, add the -url option back with https://acme-v01.api.letsencrypt.org/. Now add a crontab entry:

1
crontab -e

In the crontab, add the following:

1
0 0 1 * * /usr/local/bin/run-letsencrypt-dnsimple

Now your system will request a new fullchain.pem and privkey.pem on the first day of every month, overriding the fullchain.pem and privkey.pem of the previous month, and reloads the nginx configuration to apply the new SSL configuration.

Assuming your -out option was set to /etc/nginx/ssl, you’ll want to add the following entries to your nginx configuration:

1
2
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;

Now you should be good to go. Unlimited, automated, free SSL certificates, cycled on a monthly basis.

To Archive →