Getting an SSL Certificate from Let’s Encrypt

Install the certbot package.

certbot certonly --apache  -m postmaster@technomancer.com --agree-tos -d hostname.technomancer.com

Make sure to add a CAA record for the domain to the relevant DNS zone:

technomancer.com.                                       IN      CAA     128     issue "letsencrypt.org"

CAA records inform CAs which are allowed to issue certs for the named domain.  It won’t stop a bad actor outright, but will stop someone from using a legitimate CA that checks CAA records from issuing domains on my behalf.

Leave a Comment