Skip to content

Let’s Encrypt: Manually

Watching the tech industry moving toward SSL certs that are both free and accessible ( with a little know-how ) has been a joy. Have SSH access to your server? Great, get yourself setup with Certbot and you are good to go. But, what if you need to generate a free SSL when you don’t have SSH access and you don’t want to pay $10/year for that blog that may or may not exist beyond a year? 😄

Install Certbot

Assuming you have a macOS machine or a VM getting started is pretty straightforward. Open Terminal and let’s get started.

I always update Homebrew before moving on to the install and I recommend verifying you are getting it from a legitimate source:

brew update
brew info certbot

# verify it's from

brew install certbot

Request the SSL cert

Next, let’s setup the things relevant to us.


Now just copy and paste the certbot command.


certbot certonly --manual -d *.$CERTBOT_DOMAIN -d $CERTBOT_DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server --email $CERTBOT_EMAIL --rsa-key-size 4096 --config-dir $CERTBOT_TMPDIR --work-dir $CERTBOT_TMPDIR --logs-dir $CERTBOT_TMPDIR --no-eff-email

Note, you could pass the --register-unsafely-without-email command but that’s strongly discouraged per documentation for a good reason.


Specifying this flag enables registering an account with no email address. This is strongly discouraged, because in the event of key loss or account compromise you will irrevocably lose access to your account. You will also be unable to receive notice about impending expiration or revocation of your certificates. Updates to the Subscriber Agreement will still affect you, and will be effective 14 days after posting an update to the web site. (default: False)

You should see the following:

Performing the following challenges:
dns-01 challenge for
dns-01 challenge for

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Deploy the new DNS TXT entry to your site and go back to Terminal. Repeat the process twice and you should see a “Congratulations!” in Terminal.

Deploy the SSL cert

The last piece is of course to deploy the SSL cert which assumes you already know how to do so in Control Panel > Zone Editor or the like.

Note the expirations on current SSL certs is around 3 months at which point one may need to renew existing certs of generating from scratch. A topic for another day.

Leave a Reply

Your email address will not be published. Required fields are marked *