Compliant Kubernetes Service documentation has moved

Please note: You are not reading Kubernetes documentation. If you're looking for Compliant Kubernetes Service documentation, it has moved. Read more here.

Certbot Manual Certificate Creation

How To Install Certbot

This document will go over the process of manually creating a LetsEncrypt certificate with Certbot.



To get started installing Certbot on your Mac, you will first need a package manager called Homebrew.

You can install Homebrew by running the following command.

/bin/bash -c "$(curl -fsSL"

Once Homebrew is installed, run the following command to install Certbot.

brew install certbot

Once that command finishes running, the installation is complete. Move onto the next section.



If you are using Ubuntu, run the following commands to add the Certbot package repository.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Once you've added the repository you can run this command to install Certbot.

sudo apt-get install certbot


Generate A Certificate

To generate a certificate, run the following command.

sudo certbot certonly --manual --preferred-challenges dns

You will be asked to enter the domain name that this certificate is for. Type your domain and press Enter.

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): <Your Domain Here>
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for <Your Domain Here>

Certbot will also ask if it is ok to log your IP. Certbot will not issue a cert without this. Type "y" and press Enter.

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

You will now be asked to create a DNS TXT record. This is how Certbot verifies that you own the domain you are making a certificate for.

Please deploy a DNS TXT record under the name
_acme-challenge.test.<Your Domain Here> with the following value:


Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Below is an example of TXT Record creation within AWS Route53. If you use another provider for your DNS, simply search for "<DNS Provider> add TXT Record" with Google for instructions.


After you have create and saved this record, you can press enter for Certbot to resume.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<Your Domain Here>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<Your Domain Here>/privkey.pem
Your cert will expire on 2020-08-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:

You should now see output similar to the snippet above. Make note of the locations the `certificate` and `chain` have been saved to.

In the example, it is the following...


/etc/letsencrypt/live/<Your Domain Here>/fullchain.pem


/etc/letsencrypt/live/<Your Domain Here>/privkey.pem

You now have a freshly generated certificate.


Deploy Your Certificate

You will be using the Datica CLI to deploy your new certificate.

If your cert was previously managed by auto renewal, you will need to remove that certificate and then create a new certificate and site before deploying. Start with Remove Auto Renewed Certificate.

If you have used this process before, you can use Deploy Certificate To Existing Site to update the certificate for your site.

The next 3 sections will go over how to use the Datica CLI to deploy your certificate to a new site and an existing site.


Remove Auto Renewed Certificate

You cannot remove a certificate that is in use by a site. You must first remove the site.

datica -E <Your ENV Name> sites rm <Site Name>
datica -E <Your ENV Name> certs rm <Cert Name>

After removing the site and certificate, move onto Deploy Certificate To New Site.


Deploy Certificate To New Site

You will need to create your certificate before creating the site. Create the site and specify that you want you use the certificate you just created. The <Cert Name> and <Site Name> should match the domain on the certificate. The example below creates a new site for the code-1 service.

datica -E <Your ENV Name> certs create <Cert Name> <directory>/fullchain.pem <directory>/privkey.pem
datica -E <Your ENV Name> sites create <Site Name> code-1 <Cert Name>

Deploy the changes by running this code to redeploy your service proxy.

datica -E <Your ENV Name> redeploy service_proxy


Deploy Certificate To Existing Site

This will only work if you have already used the manual creation process to create your certificate and site. If you have been using auto-renewal, you need to first remove the site and then the certificate. Then follow the directions for Deploy Certificate To New Site.

If you already have a site and certificate setup via the manual process, you will only need to update your current certificate. Do that by running the following commands.

datica -E <Your ENV Name> certs update <Cert Name> <directory>/fullchain.pem <directory>/privkey.pem

Once you've updated the certificate, redeploy your service proxy to make the changes.

datica -E <Your ENV Name> redeploy service_proxy