In addition to having certbot installed, acme-dns-certbot needs to be installed. Download the script below from Github
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
Make the script executable
chmod +x acme-dns-auth.py
Edit acme-dns-auth.py
vim acme-dns-auth.py
Append #!/usr/bin/env python with a 3. This tells the script to use python3. It should look like this.
#!/usr/bin/env python3
Move the script into the Certbot Let’s Encrypt directory so that Certbot can load it
mv acme-dns-auth.py /etc/letsencrypt/
Run the verification process
--manual - disables all of the automated integration features of Certbot.
--manual-auth-hook /etc/letsencrypt/acme-dns-auth.py - use the acme-dns-certbot hook.
--preferred-challenges dns - give preference to DNS validation.
--debug-challenges - tell Certbot to pause before attempting to validate the certificate. This is to allow you to set the DNS CNAME record(s) required by acme-dns-certbot.
-d argument is where you set your domain. If you want to issue a wildcard certificate, make sure to escape the asterisk (*) with a backslash (\).
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.example.com -d www.example.com -d example.com
After completing the normal Certbot steps, you'll be prompted with a message similar to this:
Output
...
Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.example.com CNAME a15fe5b5-f170-2c74-973f-09a5764a28j6.auth.acme-dns.io.
Waiting for verification...
A DNS record with the indicated contents will need to be created for verification.
Leave this record in place so that the cert can be renewed automatically.
_acme-challenge.example.com. 300 CNAME a15fe5b5-f170-2c74-973f-09a5764a28j6.auth.acme-dns.io.
After the challenges successfully complete, it will tell you where the new certificate and chain files are located.
Run the renewal command.
certbot renew
Additionally, use this command for testing.
certbot renew --dry-run