How to get certificate with Letsencrypt using DNS to verify domain

Sometimes ports 80 and 443 are not available.

We are going to use Letsencrypt’s certbot --manual and --preffered-challenges dns options to get certificates and activate them manually.

You’ll need a domain name (also known as host) and access to the DNS records to create a TXT record pointing to: _acme-challenge.yourNCP.yourdomain.tld with a challenge value provided by certbot when running it with the dns option.

You will also need to have opened (forwarded) a port in your router. So you may want to have your external port start and end at 2443 and your internal port to start and end at 443.

1. Install Letsencpyt’s certbot and apache module (apache module is not tested yet)

  • sudo apt install certbot python-certbot-apache

2. Add your local IP and hostname to /etc/hosts

  • sudo nano /etc/hosts

Add a line with your local IP and hostname.domain.tld


3. Generate the required information

The following command will generate all the required files and the certificate (after providing challenge value for DNS TXT record and successfully reading the DNS record)

(In the below command make sure to change yourNCP.domain.tld to your actual host name)

  • sudo certbot -d yourNCP.domain.tld --manual --preferred-challenges dns certonly

Please note that you will be asked about your IP being logged after which you will be given a string of characters that you’ll then need to add(deploy) to your DNS TXT record that you have with the host name provider

4. Adding the information to nextcloud.conf

With the following command open nextcloud.conf:

  • sudo nano /etc/apache2/sites-enabled/nextcloud.conf

Then add the following two lines (don’t forget to change yourNCP.domain.tld to your actual NCP domain name)

SSLCertificateFile /etc/letsencrypt/live/yourNCP.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourNCP.domain.tld/privkey.pem

5. Edit the config.php file

With the following command open the config.php file:

  • sudo nano /var/www/nextcloud/config/config.php.

Then under trusted_domains:
Replace the value of
localhost in 0 => \'localhost\' with
localhost in 0 => yourNCP.domain.tld:port

6. Restart php service

With the following command restart php:

  • sudo service php7.0-fpm restart
    Note: This may fail because your php may be a different version to 7.0. (Tab completion after php will probably complete the available version)

7. Restart apache2

With the following command restart apache2:

  • sudo service apache2 restart

You should now be able to access your NCP at


I have my test NCP running on port 2443external/443internal, so I have a NAT/port forward accordingly. You are free to access your NCP on any port, now that domain and certificate are verified and installed.


Looks gorgeous but what is this DNS TXT? I spent hours on internet to figure out and it seems everybody knows what/where this is located and I have no clue. I am using duckdns has domain host… so maybe that explains it.

Can check out About TXT records - Google Workspace Admin Help

Here is an example of what a txt record can look like:

1 Like

ok thanks.
I understand now that for Debian this is meant to be environment variable that would host the TXT value…
Does anyone know how to create that variable and store a value in it for debian/rpi4?
It’s too much of technical for my limited skills

Nothing to do with Debian or Environment variable afaik, you set and edit a TXT record in the DNS settings at your Domain provider.

1 Like

coming baxk after few weeks…
I figured out how to set TXT value with my domian name provider.

1 Like

Following these steps, I ended up successfully installing cerbot (even though there are quite a few adaption one has to do, like manually installing the current version of augeas-tools, python-augeas and certbot-apache).
BUT, unfortunately, now I cannot reach my Nextcloud server anymore - neither via the web, nor locally. It gives me an “internal server error”, which usually means something is misconfigured.

What could lead to this? Even after undoing the edit of the hosts file, the apache and the nextcloud config, it still won’t respond.
Any tips on debugging this?


Findings from my nc-error.log file (in /var/logs/apache2):

  • Unable to configure certificate localhost:443:0 for stapling
  • localhost:443:1 server certificate does NOT include an ID which matches the server name

Any idea what that means and how it could lead to the internal server error?

Nevermind, after checking everything again, it works now.
What I did was delete most of the duplicate and no longer needed entries in /var/www/nextcloud/config/config.php, which apparently had a syntax error in them (which I found out in the log above).