OpenBSD LetsEncrypt DNS challenge on Vultr

Process summary

Install required software

# pkg_add certbot
# pkg_add py-pip
# ln -sf /usr/local/bin/pip2.7 /usr/local/bin/pip
# pip install dns-lexicon
# pip install urllib3

Create DNS automation script

Change the API_KEY_GOES_HERE with vultr API key and save the follwoing script to /etc/letsencrypt/lexicon-vultr.sh.

#!/usr/bin/env ksh
/usr/local/bin/lexicon vultr \
--auth-token=API_KEY_GOES_HERE \
"$1" "${CERTBOT_DOMAIN}" TXT \
--name "_acme-challenge.${CERTBOT_DOMAIN}" \
--content "${CERTBOT_VALIDATION}" || exit 255

if [ "$1" == "create" ]; then
  sleep 30
fi

Set permissions

# chown root:wheel /etc/letsencrypt/lexicon-vultr.sh
# chmod 700 /etc/letsencrypt/lexicon-vultr.sh

Command to run for renew/creation (this will only work if our current IP address is whitelisted for Vultr API)

# certbot certonly --manual \
--manual-public-ip-logging-ok \
--manual-auth-hook "/etc/letsencrypt/lexicon-vultr.sh create" \
--manual-cleanup-hook "/etc/letsencrypt/lexicon-vultr.sh delete" \
--preferred-challenges dns \
--agree-tos \
--email info@echothrust.dev \
-d example.org -d www.example.org

Renew is also possible by just certbot renew, but this will renew all the certificates under /etc/letsencrypt/live.

Certificates and key location

• /etc/letsencrypt/live/example.org/cert.pem
• /etc/letsencrypt/live/example.org/privkey.pem
• /etc/letsencrypt/live/www.example.org/chain.pem
• /etc/letsencrypt/live/www.example.org/fullchain.pem
• …

Assuming domain www.example.org copy the needed files

cp /etc/letsencrypt/live/www.example.org/fullchain.pem /etc/nginx/www.example.com.crt
cp /etc/letsencrypt/live/example.org/privkey.pem /etc/nginx/www.example.com.key