Getting an SSL Certificate from Let’s Encrypt

Install the certbot package.

certbot certonly --apache  -m --agree-tos -d

Make sure to add a CAA record for the domain to the relevant DNS zone:                                       IN      CAA     128     issue ""

CAA records inform CAs which are allowed to issue certs for the named domain.  It won’t stop a bad actor outright, but will stop someone from using a legitimate CA that checks CAA records from issuing domains on my behalf.

Leave a Comment