Caddy is the recommended and easiest way to set this up (guide here), but HTools ACME works with any client including certbot.
Assuming nginx here, but any target certbot supports will work.
Get a regular web server running as usual. simple nginx config:
server {
listen 80;
listen [::]:80;
root /var/www/demo.lazydane;
index index.html;
server_name demo.lazydane;
location / {
try_files $uri $uri/ =404;
}
}
see https://certbot.eff.org/ for more options.
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Set up certificates with certbot (only difference is --server
and --reuse-key
):
sudo certbot --nginx --server https://acme.htools.work/directory --reuse-key -d demo.lazydane
Certbot doesn’t yet have an easy option to change renewal time (track certbot/certbot#9261 for that). Until that’s implemented, the only way is to manually edit the config file.
Edit /etc/letsencrypt/renewal/demo.lazydane.conf
with your favorite text editor to uncomment and change from 30 days to 1 day:
# renew_before_expiry = 30 days
(changes to)
renew_before_expiry = 1 day
The final step is to set the TLSA record, just like a regular DANE website.
To find the record to be set, visit https://acme.htools.work/tlsa and enter your domain name:
Set this record at your DNS host (PowerDNS, Varo, Namebase, etc.)
Visiting https://demo.lazydane/ should load without warnings (if you are browsing securely with Fingertip).
As of this point, the website is just secured with regular DANE.
Since the certificate needs to include DNSSEC proofs of the TLSA record, they will only be added after the TLSA record is set.
Now that we’ve set the TLSA record, the next time certbot renews the certificate, it will get a Stateless DANE certificate.
We could simply wait for ~1.5 days and it would automatically take effect, but let’s force certbot to renew the certificate now to skip the wait (replace your domain name) by adding --force-renewal
:
sudo certbot --nginx --server https://acme.htools.work/directory --reuse-key --force-renewal -d demo.lazydane