Let's Encrypt SSL DNS validation

Using Mythic Beasts DNS API to validate Let's Encrypt SSL certificates

This page gives a step-by-step guide for issuing Let's Encrypt SSL certificates with DNS validation (dns-01) using our DNS API.

If you have a hosting account with us, you don't need to follow this guide. Support for Let's Encrypt is fully automated for hosting accounts, and you can enable a certificate for your website using our control panel.

Let's Encrypt is a service providing free SSL certificates, using domain validation to ensure that certificates are issued only to the legitimate owner of a domain. Let's Encrypt provide a number of options for performing domain validation, including DNS-based validation that requires specific TXT records to be inserted into the DNS zone for a domain. This can be fully automated using our DNS API, as described on this page.

1. Enable DNS API for your domain

Log into the Mythic Beasts customer control panel, click on My Domains and then on the domain in question, and then the DNS API link in the Nameservers and DNS section.

This page will prompt you to set a password for the DNS API for your domain.

2. Download letsencrypt.sh

This guide uses the letsencrypt.sh script to issue certificates. You can either download it directly:

wget https://raw.githubusercontent.com/lukas2511/letsencrypt.sh/master/letsencrypt.sh

or clone it using git:

git clone https://github.com/lukas2511/letsencrypt.sh.git

3. Download the Mythic Beasts hook script

The hook script is a script that makes the necessary requests to our DNS API. We provide both a Perl version (letsencrypt-mythic-dns01.pl) and a Bash version (letsencrypt-mythic-dns01.sh). You can download either directly, or clone both using git:

git clone https://github.com/mythic-beasts/letsencrypt-mythic-dns01.git

4. Configure required certificates

Configure letsencrypt.sh by creating a domains.txt file, containing one line for each certificate required. This file should be created in the same directory as the letsencrypt.sh script. Each line should start with the name of the domain, followed by any aliases (alternate names) that you want included in the certificate under that domain. For example:

example.com www.example.com
example.net www.example.net subdomain.example.net

5. Create password file

Create a dnsapi.config.txt file containing the DNS API passwords for your domain(s). This file should have one domain per line, with the name of the domain and the password separated by a space:

example.com myS3cretPassword
example.net myOtherS3ret

It is recommended to limit access to this file:

chmod 0600 dnsapi.config.txt

By default, the hook script will look for the dnsapi.config.txt file in the current working directory.

6. (optional) Test using the Let's Encrypt staging service

The Let's Encrypt API limits the number of certificates that you can issue each week. For testing, you may wish to use the staging service. To do this, create a file called config in the same directory as letsencrypt.sh, as follows:

echo 'CA="https://acme-staging.api.letsencrypt.org/directory"' > config

Once you're finished testing, simply delete this file.

7. Generate certificates

Invoke letsencrypt.sh:

./letsencrypt.sh -c -t dns-01 -k ./letsencrypt-mythic-dns01/letsencrypt-mythic-dns01.sh

If successful, you should end up with the requested SSL certificates in the certs directory. The above command is intended to be run regularly as a cron job, and will refresh any certificates that are due to expire in the next 30 days.

As our DNS API only updates new records once a minute, the script waits for 60 seconds after making each change.

8. (optional) Set up a config file for letsencrypt.sh

You can create a config file for the letsencrypt.sh script and use this to set the challenge type and script (so you don't have to specify them on the command line, and also set an email address for the certificate. This will result in you being sent a reminder if the renewal at 30 days doesn't work for any reason. For example:

CONTACT_EMAIL="me@example.com"
HOOK="letsencrypt-mythic-dns01/letsencrypt-mythic-dns01.sh"
CHALLENGETYPE="dns-01"