Previously I used certbot to generate acme challenges and manually editted nginx configs to allow Letsencrypt server to read them. It’s still working fine and I have a monthly cron job running to auto renew the certificates.

I recently came across acme.sh which supports multiple ways to create challenges for Letsencrypt server to check. One method which caught my eyes is DNS mode; it uses a DNS provider’s API to write TXT records whose values are acme challenges. My DNS provider is Cloudflare which the repo officially supports so the command to get certificates is really simple.

export CF_Key=my_cloudflare_api_key
export CF_Email=my_email

acme.sh --issue --dns dns_cf -d lttviet.com -d hello.lttviet.com

The script also supports a bunch of other modes to issue certs so it seems rather versatile.

This is just one out of many ways to get certificates from Letsencrypt but it seems the most simple to my current workflow. I can generate certs on my local machine and push them to my server; no more manually modifying nginx config.

A few more solutions

Getting certs these days is incredibly easy and it’s also free. Here are a few more interesting options that I have read about:

  • OpenResty plugin: a lua plugin to auto register and renew domains on the fly. It is used along with either OpenResty or nginx with ngx_lua module.
  • Caddy server: a web server to replace nginx/apache, written in Go. It supports getting certs by default according to feature list.