Fork 0
Create Let's Encrypt certificate without exposing port 80 and 443 for renewal process.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
CHEF-KOCH 915273bc64 Typo
As always....
3 weeks ago
LICENSE Initial commit 3 weeks ago
README.md Typo 3 weeks ago


Lets Encrypt certificates without exposing port 80 and 443, trough DNS record

Instructions on SSH end

Replace yourdomain.org with your actual domain.

  • sudo -s
  • apt install -y certbot
  • certbot --manual --preferred-challenges dns certonly --elliptic-curve secp384r1 -d yourdomain.org

Follow the console instruction and give GoDaddy or whatever you use your TXT record with the provided data.

Hit enter.

Certificates are stored here

  • Certificate is saved at: /etc/letsencrypt/live/yourdomain.org/fullchain.pem
  • Key is saved at: /etc/letsencrypt/live/yourdomain.org/privkey.pem

Cert paths

  • CERT: /etc/letsencrypt/live/yourdomain.org//cert.pem
  • CHAIN: /etc/letsencrypt/live/yourdomain.org//chain.pem
  • FULLCHAIN: /etc/letsencrypt/live/yourdomain.org//fullchain.pem
  • PRIVKey: /etc/letsencrypt/live/yourdomain.org//privkey.pem

Add cron job for renewable process and restart Nginx

  • crontab -e
  • #@weekly /usr/bin/certbot renew > /dev/null 2>&1
  • @weekly /usr/bin/certbot renew --renew-hook 'systemctl restart nginx.service' > /dev/null 2>&1

Adjust Renewable procedure - only one single time needed

  • nano /etc/letsencrypt/renewal/yourdomain.org.conf
  • authenticator = standalone

Start timers and verify the status to ensure its running

  • systemctl enable certbot.timer
  • systemctl restart certbot.timer
  • systemctl status certbot.timer


  • /var/log/letsencrypt/letsencrypt.log

Delete old certificates if not needed anymore

  • certbot delete

Close ufw ports

You can remove Port 80, 443 is usually needed anyway for e.g. Nextcloud or whatever you use.