This guide explains how to install Let’s Encrypt on private-server-1.pri.smortler.com, an Ubuntu 24 VM in a private network without a public IP address and with no API access to the DNS server. The process uses the DNS-01 challenge method.
Update your package list:
sudo apt updateInstall Certbot and the manual plugin:
sudo apt install certbotRun Certbot with the manual DNS challenge:
sudo certbot certonly --manual --preferred-challenges dns -d private-server-1.pri.smortler.comCertbot will prompt you to manually add a TXT record to your DNS for the domain private-server-1.pri.smortler.com.
After running the Certbot command, you’ll see a message like this:
Please deploy a DNS TXT record under the name:
_acme-challenge.private-server-1.pri.smortler.com
With the following value:
fTPc1PAOSe9p0GBqP7IaJklJUMEaM5tHMohMZ2alPGU
Before continuing, verify the record is deployed.
Log in to your DNS management system and add a TXT record:
_acme-challenge.private-server-1TXTfTPc1PAOSe9p0GBqP7IaJklJUMEaM5tHMohMZ2alPGU (replace this with the value provided by Certbot)Save the DNS record.
Use a DNS propagation tool (e.g., whatsmydns.net) or check manually using dig:
dig TXT _acme-challenge.private-server-1.pri.smortler.comEnsure the correct TXT record is visible.
Return to the terminal where Certbot is running.
Press Enter to continue once the TXT record is propagated.
Once validation is successful, Certbot will generate the certificates and store them in:
Certificate: /etc/letsencrypt/live/private-server-1.pri.smortler.com/fullchain.pem
Private Key: /etc/letsencrypt/live/private-server-1.pri.smortler.com/privkey.pem
Configure your web server (e.g., Apache, Nginx) to use the certificate and private key:
Update your virtual host file:
sudo nano /etc/apache2/sites-available/private-server-1.confAdd or update the SSL settings:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/private-server-1.pri.smortler.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/private-server-1.pri.smortler.com/privkey.pem
Enable SSL:
sudo a2enmod ssl
sudo systemctl reload apache2Update your server block configuration:
sudo nano /etc/nginx/sites-available/private-server-1Add or update the SSL settings:
server {
listen 443 ssl;
server_name private-server-1.pri.smortler.com;
ssl_certificate /etc/letsencrypt/live/private-server-1.pri.smortler.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/private-server-1.pri.smortler.com/privkey.pem;
}
Reload Nginx:
sudo systemctl reload nginxSince the DNS challenge requires manual steps, fully automating renewal isn’t possible. However, Certbot can notify you when renewal is needed.
Add a cron job to check for certificate expiration:
sudo crontab -eAdd this line:
0 0 * * * certbot renew --dry-run --manual-public-ip-logging-okCertbot will notify you if the certificate is nearing expiration.
Set a reminder in your calendar or system to repeat the manual DNS steps before the certificate expires.
If you need certificates for multiple subdomains, consider generating a wildcard certificate (e.g., *.pri.smortler.com). The process is similar but requires DNS-01 validation with a wildcard domain.