Issue TLS Certificates using IONOS Cloud Certbot Plugin
Transport Layer Security(TLS), is a pivotal security protocol that ensures the encryption of data transmitted between web browsers like Chrome, Firefox, and web servers.
Employing TLS certificates for all hosted content and applications is imperative. It not only safeguards sensitive information but also fosters trust among users by guaranteeing secure communication channels.
Info: To obtain a Let’s Encrypt certificate for your domain, verification of ownership is required. This can be achieved through various methods detailed in the Let’s Encrypt documentation. One commonly used method is the DNS-01 challenge, which necessitates demonstrating control over the domain's DNS by generating a specific value in a TXT record. Utilizing the Certbot plugin facilitates the certificate issuance process by managing TXT records automatically, handling tasks such as creation, removal, renewal, and revocation. Further details on this process can be found in the Certbot documentation.. For more information on Cloud DNS Certbot plugin, see Cloud DNS Certbot GitHub.
This tutorial will guide you on how to install and configure a simple web server, create an A record for that web server using IONOS Cloud DNS API, and create an TLS certificate for your web server using Cloud DNS Certbot. The steps we will follow are:
Reserve an IPv4 in your IONOS Cloud setup.
Set up a Web Server on Dedicated Core Server in IONOS Cloud.
Create an A record for your web server. For information on common record types, see Create records of other types.
Create an TLS certificate for your web server using IONOS Cloud Certbot Plugin.
Add TLS certificate to your web server configuration.
Test your TLS certificate.
Prerequisites:
You have an IONOS account. If you do not have an account, you can create one by visiting the IONOS website.
You have a zone with IONOS Cloud DNS. If you do not have a zone, you can create one using the IONOS Cloud DNS API. For more information, see Create a zone using IONOS Cloud DNS API. We will refer to this zone and zone name as
<your-zone>
and<your-zone-name>
, respectively.Make sure to use your own
<zone_id>
and<your_server_ip>
along with your<authorization token>
.
Reserve an IPv4 address in IONOS Cloud
To reserve an IPv4 address in IONOS Cloud, follow these steps:
1. In the DCD, go to Menu > Management > IP Management.
2. In IP Management, click Reserve IPs, and a new pop-up window appears. Enter the following information:
Name: Enter a suitable name.
Number of IPs: Select the number of IP addresses to be reserved.
Region: Select a region that is the same as the region of your Dedicated Core server. Click Reserve IPs to reserve the IP addresses and confirm the reservation by selecting OK.
3. Exit the IP Management window and return to the IONOS Cloud Workspace.
Result: The IPv4 address is reserved.
Set up a Dedicated Core Server in IONOS Cloud
Note:
The user who creates the server has full root or administrator access rights. A server, once provisioned, retains all its settings (resources, drive allocation, password, and so on), even after server restart at the operating system level.
The server will only be removed from your virtual data center once you delete it in the DCD.
To set up a Dedicated Core server in IONOS Cloud, follow these steps:
1. Create a Dedicated Core server and configure the server in the Settings tab by following the steps in Create a Dedicated Core Server.
2. Configure the server Network settings by following the steps in the Dedicated Core Server network settings.
3. Configure the server Storage settings by following the steps in the Dedicated Core Server storage settings.
4. Continue to provision the changes and start the Dedicated Core Server by following the steps in the Provision changes and starting the Dedicated Core Server.
Result: A Dedicated Core Server is set up and started along with the configuration of Settings, Network, and Storage setup.
Dedicated Core Server network settings
In the DCD > Inspector pane on the right, configure the following network details in the Network tab.
1. Name: Choose a name unique to this Virtual Data Center (VDC).
2. MAC: It is automatically assigned during the VM creation.
3. LAN: Select the LAN connection that is connected to the internet by default it is LAN 1.
4. Firewall: By default, the firewall is disabled. To enable firewall rules, make sure that incoming and outgoing traffic is allowed on port 25 for UDP and TCP.
5. In the IPv4 Configuration, click Add IP and select the same IP address that you used to create an A record.
Result: The Network settings for a Dedicated Core server are configured.
Dedicated Core Server storage settings
Warning: The storage type cannot be changed after provisioning.
In the DCD > Inspector pane on the right, configure the following storage details in the Storage tab.
1. Click SSD and a new pop-up window Create New Attached Storage appears.
2. Configure the following storage details:
Name: Enter a name that is unique within your VDC.
Availability Zone: By default, the value is set to "Auto".
Size in GB: We recommend using 20 for the storage size.
Performance: Select "Standard".
Image: You can select one of IONOS images or snapshots, or use your own. For this tutorial, we will use an Ubuntu server image from IONOS. To make the same choice, select ubuntu-22.04-server-cloudimg-amd64 under IONOS Images.
Password: Create a password for the "root" user of the server. You will need this password to SSH and make changes.
SSH Keys: Select an SSH key stored in the SSH Key Manager.
Ad-hoc SSH Key: If you have not created an SSH key, copy and paste the public part of your SSH key into this field.
Cloud-Init user data: To install the Nginx web-server, Certbot, and Python3-pip tools, use the following Cloud-Init user data.
Boot from Device: Select this checkbox to make the SSD drive bootable.
3. Click Create SSD Storage to create the SSD storage.
Result: The Storage settings for a Dedicated Core server are configured.
Provision changes and start the Dedicated Core Server
1. Select the newly created Dedicated Core server.
2. From the Settings tab in the Inspector pane, select Power > Start.
3. Click Provision Changes in the lower right corner and click Provision Now.
Result: The Dedicated Core server is provisioned and started.
Next steps: After your changes are provisioned and the server is started, select your Dedicated Core server, click the Network tab in the Inspector pane, and copy one of the IPv4 addresses.
Create an A record for your web server
1. To create an A record for your email server, follow these steps:
Info: We already own the zone demo-ionos.cloud
and will use it for this tutorial. Previously, we created a zone demo-ionos.cloud
using the IONOS `Cloud DNS API. For more information on how to create a zone using IONOS Cloud DNS API, see Create a zone using IONOS Cloud DNS API.
Prerequisite: Make sure to use your own <zone_id>
and <your_server_ip>
along with your <authorization token>
.
Result: The A record for your web server is created.
Info: For more information on how to create a record for a zone using IONOS Cloud DNS API, see Create a record for a zone using IONOS Cloud DNS API.
Create an TLS certificate for your web server using IONOS Cloud Certbot Plugin
1. Create a credentials.ini
file containing the IONOS Cloud API token. This file must contain ionos_dns_token
key with the value of the access token:
and add the following content:
Save and exit the file.
2. Restrict access to the credentials.ini
file:
3. Create an TLS certificate for your web server using the IONOS Cloud Certbot Plugin:
Flag
Description
--authenticator dns-ionos
Specifies the authenticator plugin to be used.
--dns-ionos-credentials
Specifies the path to the credentials.ini
file.
--dns-ionos-propagation-seconds
Specifies the time to wait for DNS propagation.
--agree-tos
Agrees to the terms of service.
--rsa-key-size
Specifies the size of the RSA key.
-d
Specifies the domain name for which the certificate is issued. Provide the previously created zone name.
4. When prompted, enter the email address for urgent renewals and security notices.
5. The Certbot plugin will automatically create a TXT record in your zone to verify the domain ownership.
6. The Certbot plugin will issue the TLS certificate for your web server. On successful issuance, you will see the following message:
Note: TLS Certificate and Key will be created in /etc/letsencrypt/live/<your-zone>/
folder. For the purpose of this tutorial we used zone demo-ionos.cloud
, therefore TLS Certificate and Key are created in /etc/letsencrypt/live/demo-ionos.cloud/
directory.
Result: The TLS certificate for your web server is issued using the IONOS Cloud Certbot Plugin.
Add TLS certificate to your web server configuration
1. Add the TLS certificate to your web server configuration by editing the Nginx configuration file:
2. At the beginning of /etc/nginx/sites-available/default
file, uncomment the following lines:
3. Add the following lines to the bottom of the server
block:
4. Your /etc/nginx/sites-available/default
file should look like this:
5. Save and exit the file.
6. Restart the Nginx service:
7. Verify the Nginx service status:
Result: The TLS certificate is added to your web server configuration.
Test your TLS certificate
1. To test your TLS certificate, open a web browser and enter the URL https://<your-zone-name>
.
Result: The TLS certificate is successfully installed, and your web server is secure.
Renew your TLS certificate
Let's Encrypt certificates are valid for 90 days.
1. To manually renew your TLS certificate using the IONOS Cloud Certbot Plugin, you can do it manually by issuing the following command:
2. To automate the renewal process, you can set up a cron job to run the renewal command automatically. For more information on how to set up automated renewals, see the Certbot documentation page.
Result: Your TLS certificate is renewed successfully.
Last updated