Skip to main content
torminal - blog
  1. Posts/

Hetzner/IONOS: free SSL certificates with certbot

·958 words·5 mins· loading · loading ·
Table of Contents

Introduction
#

I see a lot of people struggling with setting up https:// in their homelab - for some cases, you cant avoid it (for example Vaultwarden). With this guide you can automatically create and renew SSL Certificates for your homelab webserver with the help of Lets Encryt and certbot.

If you want to use the “NGINX Proxy Manager” instead of the plain certbot in the terminal, read this blog post: SSL certificates with NGINX Proxy Manager (IONOS or Hetzner).

Requirements
#

  • a domain you own
  • an account at Hetzner or IONOS
  • terminal access to your server

DNS and API Token
#

Below you find the instructions for Hetzner or IONOS. Select your preferred provider.

Hetzner

This guide got updated to the new “Hetzner Console”, “Hetzner DNS” will be discontinued by Hetzner (https://dns.hetzner.com).

  1. First of all, we start in Hetzner. Log into your account and switch to the “Console” section on the top right. It is also available at https://console.hetzner.com/projects
  2. Open your existing project or create a new one, if you dont have one yet.
  3. Switch to “DNS” at “Networking” on the right.
  4. If you don’t already got your domain in the Hetzner Console, set it up with “Add new zone”:
  5. hetzner-dns-2.
  6. Enter your DNS zone (in my example “torminal.com”) and click “continue”.
  7. You have to add the name servers from hetzner to the hoster of your domain. Please look into guides for your specific hoster (something like: “{Name of hoster} add custom nameservers for domain”).
  8. After that, your new zone is available in the DNS console and Hetzner is now the main DNS manager for your domain.
  9. In the dashboard of the Console, click on “Security”.
  10. In “Security” choose “API-Tokens” and “Add API-Token” on the top right:
  11. hetzner-api-1
  12. Enter a name for your token in “Description”, choose “Read and write” permissions and click on “Create Access Token”.
  13. Safe the token securely.

IONOS
  1. First of all, we start in IONOS. Log into your account.
  2. If not already done, you need to get access to the IONOS API at IONOS API Shop
  3. “Buy” the free API Add-On
  4. Next go to the API key portal
  5. Add a new key and give it a name (for example: “homelab”)
  6. Safe the token securely.

Certbot: Set up SSL Certificate
#

Install certbot
#

  1. connect to the terminal of your server (ssh).
  2. install the snap paket manager: sudo apt install snapd
  3. install certbot with snap: sudo snap install --classic certbot
  4. add certbot to PATH: sudo ln -s /snap/bin/certbot /usr/bin/certbot

Below you find the instructions for Hetzner or IONOS. Select your preferred provider.

Hetzner

Configure certbot for Hetzner
#

Source: Github - certbot-dns-hetzner-cloud

  1. install certbot-dns-hetzner-cloud with snap: sudo snap install certbot-dns-hetzner-cloud
  2. connect certbot-dns-hetzner-cloud and certbot: 
    sudo snap set certbot trust-plugin-with-root=ok
sudo snap connect certbot:plugin certbot-dns-hetzner-cloud
  3. check, if certbot-dns-hetzner-cloud is available for certbot: certbot plugins
  4. you should see * dns-hetzner-cloud in the plugin list.
  5. now, add your api-key on the server. For example, use /etc/hetzner.ini: 
    nano /etc/hetzner.ini
  6. and add your key in the following format: 
    dns_hetzner_cloud_api_token = addyourtokenhere
  7. Change the file-permissions of the key-file to 600: 
    chmod 0600 /etc/hetzner.ini

Request a new certificate
#

  1. Run the following command and enter your domain instead of <example.com>: 
    sudo certbot certonly --agree-tos --authenticator dns-hetzner-cloud --dns-hetzner-cloud-credentials /etc/hetzner.ini -d <example.com>
  2. Enter an email (if requested) or skip
  3. After some time you should get your certificate:
  4. certbot-hetzner-command
  5. You find your fullchain (certificate) and key at /etc/letsencrypt/live/example.com/fullchain.pem and ../privkey.pem, which you can now use!

IONOS

Configure certbot for IONOS
#

Source: Github - certbot-dns-ionos

  1. install certbot-dns-ionos with snap: sudo snap install certbot-dns-ionos
  2. connect certbot-dns-ionos and certbot: 
    sudo snap set certbot trust-plugin-with-root=ok
sudo snap connect certbot:plugin certbot-dns-ionos
  3. check, if certbot-dns-ionos is available for certbot: certbot plugins
  4. you should see * dns-ionos in the plugin list.
  5. now, add your api-key on the server. For example, use /etc/ionos.ini: 
    nano /etc/ionos.ini
  6. and add your key in the following format: 
    dns_ionos_prefix=YOUR_PREFIX
dns_ionos_secret=YOUR_SECRET
dns_ionos_endpoint=https://api.hosting.ionos.com
  7. Change the file-permissions of the key-file to 600: 
    chmod 0600 /etc/ionos.ini

Request a new certificate
#

  1. Run the following command and enter your domain instead of <example.com> 
    certbot certonly \
--agree-tos \
--authenticator dns-ionos \
--dns-ionos-credentials /etc/ionos.ini \
--dns-ionos-propagation-seconds 60 \
--agree-tos \
--rsa-key-size 4096 \
-d <example.com>
  2. Enter an email (if requested) or skip
  3. After some time you should get your certificate:
  4. certbot-ionos-command
  5. You find your fullchain (certificate) and key at /etc/letsencrypt/live/example.com/fullchain.pem and ../privkey.pem, which you can now use!

Automate the renewal
#

To automate the renewal of the certificate, just add the renewal command to your crontab.

  1. Open your crontab : crontab -e
  2. Add the renewal command at the end of the file: 
    # Certbot Lets Encrypt renewal
0 3 * * 6  root    /usr/bin/certbot renew >> /var/log/certbot-renew.log 2>&1
  3. This will run the renewal every saturday at 3 am, also the ouput gets logged in /var/log/certbot-renew.log.
  4. Hint: if you use Apache2 or NGINX for example, dont forget to restart the service after the renewal (in the crontab). I just added this some minutes after the renewal runs: 
    10 3 * * 6  root    systemctl restart nginx

Nice to know
#

Some helpful knowledge about certbot, that could help you:

  • you can enter multiple subdomains with -d in the certbot command, for example: -d <example.com> -d <sub1.example.com> -d <sub2.example.com>
  • you can also request wildcard certificates with *: -d <*.example.com>

Fix issues
#

If you get an error with certbot when requesting the SSL Cert:

  • is your API Token correctly entered and safed?
  • can your server reach the API service of Hetzner / IONOS?
  • For Hetzner: did you successfully add your domain to the DNS console before and set the Hetzner nameservers at your domainhoster? You can test that by manually adding an entry in the DNS Console of Hetzner and use an online DNS lookup tool to check, if the record was successfully registered.
torminal
Author
torminal
IT enthusiast
Skrädda: Pegboard Generator for 3D Printing Linux Mint: Fix Boot issue, stuck on splash screen

Related

Hetzner/IONOS: Automate renewal of free SSL Certificates with NGINX Proxy Manager
662 words·4 mins· loading · loading
Automate the renewal of free SSL Certificates with Hetzner or IONOS, Lets Encrypt and NGINX Proxy Manager in your Homelab!
Skrädda: Pegboard Generator for 3D Printing
350 words·2 mins· loading · loading
Need to create a specific Pegboard (based on IKEA SKADS) for 3D Printing? Use the Skrädda generator to get your desired dimensions for free!
Homelab management with a telegram chatbot
594 words·3 mins· loading · loading
This project gives you the possibility to run shell commands on a linux host from a telegram bot. WakeOnLan-Support, get status of services and more!