Here's an example for the fictional domain


To add this domain, we first need to have the domain resolvable through the DNS system.

For that you need to first add the domain in the /etc/bind/ configuration file and increment the serial.

To add the example domain, we add this line:

r2d2     3M IN A

And then we increment the serial from by at least one, here it's 1000000007:

@    1D IN SOA (
    1000000007    ; serial
    3H        ; refresh
    1H        ; retry
    24D        ; expiry
    3H )        ; minimum ttl

So we make it become 1000000008:

@    1D IN SOA (
    1000000008    ; serial
    3H        ; refresh
    1H        ; retry
    24D        ; expiry
    3H )        ; minimum ttl

Then we need to make bind9 take the changes into account. We can use the following command for that:

systemctl reload bind9

TLS certificates

As we need to protect people's privacy and security, we often need a TLS certificate associated with every new domains.

We first need to have a web server be able to serve files at that domain to make letsencrypt work.

To do that you can either add the new domain in /etc/apache2/sites-enabled/letsencrypt.conf, or another configuration file in the same directory.

Here's configuration directives for, you'll need to adapt it for a different domain:

<VirtualHost *:80>
    DocumentRoot        /var/www/letsencrypt/

You can paste that in any file in /etc/apache2/sites-enabled/:
  • You can add it to /etc/apache2/sites-enabled/letsencrypt.conf if you plan to keep using it after for enabling letencrypt to renew the certificates automatically. This is typically useful if you don't need a web server at that domain, which can be the case if you only intend to host a mail server there for instance.
  • You can add it in a temporary file like /etc/apache2/sites-enabled/r2d2.conf if you use another configuration for that later on.
  • Or you can add it to any existing or new file in the /etc/apache2/sites-enabled/ depending on your needs.

Then you need to make apache2 take this into account. You can do it with the following command:

root@replicantserver0:~# systemctl reload apache2

You can check if apache2 is still running fine with the following command:

root@replicantserver0:~# pidof apache2
10465 10456 10421 230

At this point it would be a good idea to verify that everything works well before proceding as there is a limited number of (failed) attempt with letencrypt. When the limit is reached you have to wait before being able to retry which can be time consuming.

To check if everything is fine, it would be a good idea to:
  • make sure that you can ping the domain
  • make sure that apache responds, a "Forbidden" web page is good enough for that

It's then a good time to finally get a certifificate. You can use the 'certbot certonly --webroot' command to do that.

Here's an example of usage for the domain:

root@replicantserver0:~# certbot certonly --webroot 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Input the webroot for (Enter 'c' to cancel): /var/www/letsencrypt/
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-08-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Finally don't forget to change the apache configuration again if the changes you made were only meant to be temporary.

Updated by Denis 'GNUtoo' Carikli about 1 year ago · 3 revisions

Also available in: PDF HTML TXT