Configurig Let's Encrypt with DNS-01 challenge on Debian 10 Buster

While setting this up, I ran into a lot of issues with DNS service APIs not matching what was available in the buster repository and in other scripts that I tried. These are my notes on how to set up Let's Encrypt with a DNS-01 challenge, but the most important part is just knowing what works. I don't want to name the services and tools that didn't, as I expect they'll be updated soon, but as of this writing, if you want things to go quickly and easily, I recommend Cloudflare for DNS, certbot, and python3-certbot-dns-cloudflare.

You can create a Cloudflare account for free. Create a record for the domain for which you want to create a certificate. The domain I was configuring is only used internally, but certbot requires a pre-existing record, so I created a TXT record.

Install Certbot and the Cloudflare DNS plugin:

sudo apt update
sudo apt install certbot python3-certbot-dns-cloudflare

Retrieve your Global API key from Cloudflare. The Cloudflare API supports tokens, but the current version of python3-certbot-dns-cloudflare in Buster does not.

Create /home/username/certbot/cloudflare.ini:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = your@email.addr
dns_cloudflare_api_key = 111111111111111111111111111111

Create the certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /home/username/certbot/cloudflare.ini -d sub.domain.com

The certificate is saved to:

/etc/letsencrypt/live/sub.domain.com/fullchain.pem

The key is saved to:

/etc/letsencrypt/live/sub.domain.com/privkey.pem