Ordering a Let’s Encrypt Certificate

This article describes a feature in Public Beta.

Table of Contents

DNSimple provides an SSL certificate interface you can use to acquire a new SSL certificate issued by Let’s Encrypt.

SSL certificates issued by Let’s Encrypt are valid for 90 days from the issue date. If you have selected auto-renewal for the certificate, we will begin retrying the renewal 30 days before the expiration date; otherwise, we will begin sending expiration notices at that point.

Before you start

To order an SSL certificate you need a DNSimple account. A subscription is necessary to keep the certificate renewed and the domain must be delegated to use DNSimple’s name servers due to the DNS challenge—which is automatically configured and checked in our implementation. It is not necessary to transfer registration to us, but the domain must be delegated to our name servers.

For more details about the configuration, approval and installation of the certificate, read the Getting Started with SSL Certificates article or follow the instructions on the site after you submit the SSL certificate order.

Order a Let’s Encrypt SSL certificate

Getting a new SSL certificate is a multi-step process and involves several parties: the customer (you), DNSimple, and the certificate authority. Before purchasing an SSL certificate, read the Getting Started with SSL certificates article to make sure you are familiar with the SSL certificate process.

The order is the first step into getting an SSL certificate. It will create an SSL certificate order (for no charge, in the case of Let’s Encrypt certificates) that represents a request of a certificate to the CA.

To order a certificate
  1. Log into DNSimple with your user credentials.
  2. If you have more than one account, select the relevant one.
  3. If the domain is not already in your account, follow the instructions to add a domain for domain services and add any records to it before delegating to our name servers.
  4. If the domain is already in your account, on the top-nav menu click the tab, locate the relevant domain and click on the name to access the domain page.
  5. Select the SSL Certificates tab and click to start the order.
  6. Click under the Let’s Encrypt option.
  7. Follow the instructions to order the certificate.

    1. Read this article to determine the appropriate host name of your SSL certificate.
    2. For different plans, the names available will differ. If you have the ability to select alternate names for your certificate, do so. Otherwise, continue to the next step.
    3. Select a Contact from your contact list. The contact information will be used to generate the certificate request (CSR). We will generate a private key that is used for your CSR. Make sure to read our private key policy before you order your certificate.
    4. Select whether you would like to automatically renew the certificate. If you do so, the certificate will be renewed 30 days prior to expiration as recommended by Let’s Encrypt.
    5. Submit the order.

What this looks like

As mentioned above, you will see a different form for ordering a Let’s Encrypt certificate based on the plan to which you are subscribed. If you have full access to SAN certificate configuration, this is what you’ll see:

Let's Encrypt with SAN

Other plans provide the ability to configure only one name on your Let’s Encrypt certificate:

Let's Encrypt with single name configuration

On some plans we do not allow the configuration of a name but instead configure the certificate to work only on the apex and www-subdomain of the zone:

Let's Encrypt with fixed names

What’s next?

Once you order the certificate, we will configure the necessary DNS records and check that they are resolving properly before having Let’s Encrypt check the DNS challenge. Once the challenge is verified, the certificate will be issued and you can download and install the certificate on your server.

Due to the short expiration cycle of Let’s Encrypt certificates, it is recommended to automate as much of the installation process as possible. You can consult our developer documentation on SSL Certificates for more information on how to accomplish this via our API.