Using Cloud DNS to request free TLS/SSL certificates from Let's Encrypt

[Alex Dupuy]

Yann Malet has posted an excellent and easy-to-follow tutorial on using the Lego Let's Encrypt Go client with Google Cloud DNS. As he points out, using control of a DNS domain to verify your ownership of that domain is

very convenient when you want to request certificates on a machine that is not the one serving the requested domain.

• It avoids the chicken/egg issue of starting a web server configured with TLS before having the certificate and the key
• Proxy requests from all the web servers to a central location
• Get the certificate / key on a machine and distribute them on a cluster of web servers 

I would also add that using a DNS validation challenge is especially convenient if you are using the TLS certificate for something that is not a web server, like a DANE-authenticated e-mail server (you'll need to join the Cloud DNS DNSSEC alpha to be able to to create DANE TLSA records).

The only prerequisite he doesn't mention is the obvious one—a Cloud DNS managed zone that is properly delegated from its TLD—but if you're using Cloud DNS for your domains then you should have that set up already. The Lego client supports a number of DNS providers, so Cloud DNS is not a strict requirement, but you do need the domain registration and delegation to your DNS provider's name servers from the TLD domain registry no matter which provider you use.

The only other gotcha is that Let's Encrypt certificates expire after 90 days, so you really want to have an automated process in place to auto-renew—they will send you e-mail notifications, but the whole point of this is automation, so why do more work to handle it manually?

You can create a cron job that runs this command every month to renew the certificate:

lego --email="your-le-ac...@example.net" --domains="example.com" renew

You might want to also have it check that the expiration date is > 31 days in the future after running the lego command, just in case it fails for some reason and the e-mails from Let's Encrypt end up in your spam folder.

@alex

[Alex Dupuy]

Better than a cron job for monitoring your certificates (from Let's Encrypt or anywhere) is this: LetsMonitor.org

This was just recently announced on the Let's Encrypt community support forum.