Issue TLS Certificates using IONOS Cloud Certbot Plugin

Transport Layer Security(TLS), is a pivotal security protocol that ensures the encryption of data transmitted between web browsers like Chrome, Firefox, and web servers.

Employing TLS certificates for all hosted content and applications is imperative. It not only safeguards sensitive information but also fosters trust among users by guaranteeing secure communication channels.

Info: To obtain a Let’s Encrypt certificate for your domain, verification of ownership is required. This can be achieved through various methods detailed in the Let’s Encrypt documentation. One commonly used method is the DNS-01 challenge, which necessitates demonstrating control over the domain's DNS by generating a specific value in a TXT record. Utilizing the Certbot plugin facilitates the certificate issuance process by managing TXT records automatically, handling tasks such as creation, removal, renewal, and revocation. Further details on this process can be found in the Certbot documentation.. For more information on Cloud DNS Certbot plugin, see Cloud DNS Certbot GitHub.

This tutorial will guide you on how to install and configure a simple web server, create an A record for that web server using IONOS Cloud DNS API, and create an TLS certificate for your web server using Cloud DNS Certbot. The steps we will follow are:

  1. Reserve an IPv4 in your IONOS Cloud setup.

  2. Set up a Web Server on Dedicated Core Server in IONOS Cloud.

  3. Create an A record for your web server. For information on common record types, see Create records of other types.

  4. Create an TLS certificate for your web server using IONOS Cloud Certbot Plugin.

  5. Add TLS certificate to your web server configuration.

  6. Test your TLS certificate.

Prerequisites:

  • You have an IONOS account. If you do not have an account, you can create one by visiting the IONOS website.

  • You have a zone with IONOS Cloud DNS. If you do not have a zone, you can create one using the IONOS Cloud DNS API. For more information, see Create a zone using IONOS Cloud DNS API. We will refer to this zone and zone name as <your-zone> and <your-zone-name>, respectively.

  • Make sure to use your own <zone_id> and <your_server_ip> along with your <authorization token>.

Reserve an IPv4 address in IONOS Cloud

To reserve an IPv4 address in IONOS Cloud, follow these steps:

1. In the DCD, go to Menu > Management > IP Management.

2. In IP Management, click Reserve IPs, and a new pop-up window appears. Enter the following information:

  • Name: Enter a suitable name.

  • Number of IPs: Select the number of IP addresses to be reserved.

  • Region: Select a region that is the same as the region of your Dedicated Core server. Click Reserve IPs to reserve the IP addresses and confirm the reservation by selecting OK.

3. Exit the IP Management window and return to the IONOS Cloud Workspace.

Result: The IPv4 address is reserved.

Set up a Dedicated Core Server in IONOS Cloud

Note:

  • The user who creates the server has full root or administrator access rights. A server, once provisioned, retains all its settings (resources, drive allocation, password, and so on), even after server restart at the operating system level.

  • The server will only be removed from your virtual data center once you delete it in the DCD.

To set up a Dedicated Core server in IONOS Cloud, follow these steps:

1. Create a Dedicated Core server and configure the server in the Settings tab by following the steps in Create a Dedicated Core Server.

2. Configure the server Network settings by following the steps in the Dedicated Core Server network settings.

3. Configure the server Storage settings by following the steps in the Dedicated Core Server storage settings.

4. Continue to provision the changes and start the Dedicated Core Server by following the steps in the Provision changes and starting the Dedicated Core Server.

Result: A Dedicated Core Server is set up and started along with the configuration of Settings, Network, and Storage setup.

Dedicated Core Server network settings

In the DCD > Inspector pane on the right, configure the following network details in the Network tab.

1. Name: Choose a name unique to this Virtual Data Center (VDC).

2. MAC: It is automatically assigned during the VM creation.

3. LAN: Select the LAN connection that is connected to the internet by default it is LAN 1.

4. Firewall: By default, the firewall is disabled. To enable firewall rules, make sure that incoming and outgoing traffic is allowed on port 25 for UDP and TCP.

5. In the IPv4 Configuration, click Add IP and select the same IP address that you used to create an A record.

Result: The Network settings for a Dedicated Core server are configured.

Dedicated Core Server storage settings

Warning: The storage type cannot be changed after provisioning.

In the DCD > Inspector pane on the right, configure the following storage details in the Storage tab.

1. Click SSD and a new pop-up window Create New Attached Storage appears.

2. Configure the following storage details:

  • Name: Enter a name that is unique within your VDC.

  • Availability Zone: By default, the value is set to "Auto".

  • Size in GB: We recommend using 20 for the storage size.

  • Performance: Select "Standard".

  • Image: You can select one of IONOS images or snapshots, or use your own. For this tutorial, we will use an Ubuntu server image from IONOS. To make the same choice, select ubuntu-22.04-server-cloudimg-amd64 under IONOS Images.

  • Password: Create a password for the "root" user of the server. You will need this password to SSH and make changes.

  • SSH Keys: Select an SSH key stored in the SSH Key Manager.

  • Ad-hoc SSH Key: If you have not created an SSH key, copy and paste the public part of your SSH key into this field.

  • Cloud-Init user data: To install the Nginx web-server, Certbot, and Python3-pip tools, use the following Cloud-Init user data.

#cloud-config

packages:
  - nginx
  - certbot
  - python3-pip
  
runcmd:
  - pip3 install certbot-dns-ionos-cloud
  • Boot from Device: Select this checkbox to make the SSD drive bootable.

3. Click Create SSD Storage to create the SSD storage.

Result: The Storage settings for a Dedicated Core server are configured.

Provision changes and start the Dedicated Core Server

1. Select the newly created Dedicated Core server.

2. From the Settings tab in the Inspector pane, select Power > Start.

3. Click Provision Changes in the lower right corner and click Provision Now.

Result: The Dedicated Core server is provisioned and started.

Next steps: After your changes are provisioned and the server is started, select your Dedicated Core server, click the Network tab in the Inspector pane, and copy one of the IPv4 addresses.

Create an A record for your web server

1. To create an A record for your email server, follow these steps:

Info: We already own the zone demo-ionos.cloud and will use it for this tutorial. Previously, we created a zone demo-ionos.cloud using the IONOS `Cloud DNS API. For more information on how to create a zone using IONOS Cloud DNS API, see Create a zone using IONOS Cloud DNS API.

Prerequisite: Make sure to use your own <zone_id> and <your_server_ip> along with your <authorization token>.

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "A",
    "content": "<your_server_ip>",
    "ttl": 60,
    "priority": 0,
    "enabled": true
  }
}'

Result: The A record for your web server is created.

Info: For more information on how to create a record for a zone using IONOS Cloud DNS API, see Create a record for a zone using IONOS Cloud DNS API.

Create an TLS certificate for your web server using IONOS Cloud Certbot Plugin

1. Create a credentials.ini file containing the IONOS Cloud API token. This file must contain ionos_dns_token key with the value of the access token:

vi credentials.ini

and add the following content:

dns_ionos_api_token=<your_ionos_api_token>

Save and exit the file.

2. Restrict access to the credentials.ini file:

chmod 600 credentials.ini

3. Create an TLS certificate for your web server using the IONOS Cloud Certbot Plugin:

certbot certonly \
  --authenticator dns-ionos \
  --dns-ionos-credentials /path/to/credentials.ini \
  --dns-ionos-propagation-seconds 60 \
  --agree-tos \
  --rsa-key-size 4096 \
  -d '<your-zone-name>' \
  -d '*.<your-zone-name>'

Flag

Description

--authenticator dns-ionos

Specifies the authenticator plugin to be used.

--dns-ionos-credentials

Specifies the path to the credentials.ini file.

--dns-ionos-propagation-seconds

Specifies the time to wait for DNS propagation.

--agree-tos

Agrees to the terms of service.

--rsa-key-size

Specifies the size of the RSA key.

-d

Specifies the domain name for which the certificate is issued. Provide the previously created zone name.

4. When prompted, enter the email address for urgent renewals and security notices.

5. The Certbot plugin will automatically create a TXT record in your zone to verify the domain ownership.

6. The Certbot plugin will issue the TLS certificate for your web server. On successful issuance, you will see the following message:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<your-zone>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/<your-zone>/privkey.pem
This certificate expires on <expiration-date>.
These files will be updated when the certificate renews.

Note: TLS Certificate and Key will be created in /etc/letsencrypt/live/<your-zone>/ folder. For the purpose of this tutorial we used zone demo-ionos.cloud, therefore TLS Certificate and Key are created in /etc/letsencrypt/live/demo-ionos.cloud/ directory.

Result: The TLS certificate for your web server is issued using the IONOS Cloud Certbot Plugin.

Add TLS certificate to your web server configuration

1. Add the TLS certificate to your web server configuration by editing the Nginx configuration file:

vi /etc/nginx/sites-available/default

2. At the beginning of /etc/nginx/sites-available/default file, uncomment the following lines:

         listen 443 ssl default_server;
         listen [::]:443 ssl default_server;

3. Add the following lines to the bottom of the server block:

        ssl_certificate /etc/letsencrypt/live/<your-zone>/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/<your-zone>/privkey.pem;

4. Your /etc/nginx/sites-available/default file should look like this:

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	 listen 443 ssl default_server;
	 listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
	ssl_certificate /etc/letsencrypt/live/<your-zone>/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/<your-zone>/privkey.pem;

}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

5. Save and exit the file.

6. Restart the Nginx service:

systemctl restart nginx.service

7. Verify the Nginx service status:

systemctl status nginx.service

Result: The TLS certificate is added to your web server configuration.

Test your TLS certificate

1. To test your TLS certificate, open a web browser and enter the URL https://<your-zone-name>.

Result: The TLS certificate is successfully installed, and your web server is secure.

Renew your TLS certificate

Let's Encrypt certificates are valid for 90 days.

1. To manually renew your TLS certificate using the IONOS Cloud Certbot Plugin, you can do it manually by issuing the following command:

certbot renew

2. To automate the renewal process, you can set up a cron job to run the renewal command automatically. For more information on how to set up automated renewals, see the Certbot documentation page.

Result: Your TLS certificate is renewed successfully.

Last updated