TLS Certificates

ACME - Certbot

Configuration via /etc/letsencrypt/cli.ini

Any global –some-option can be used in cli.ini by omitting the leading hyphens (–). To set an option for a specific certificate set the option on the respective config file in /etc/letsencrypt/renewal/.

Useful defaults:

email =
agree-tos = true

Change key type:

key-type = ecdsa
elliptic-curve = secp384r1

Alternative chains:

preferred-chain = ISRG Root X1

Specifying ISRG Root X1 will omit the expired root certificate included by default to support ancient versions of Android. 1

See also:


The CAA DNS record type can be used to limit what CA can issue a certificate for a domain or subdomain.

Send reports about unauthorized request to issue a certificate to a specific mail address: IN CAA 0 iodef ""

Not all CAs support this.

Allow only Let’s Encrypt to issue certificates: IN CAA 0 issue ""

Only allow a certain validation method and specific accounts 2:

; Allow letsencrypt IN CAA 0 issue "; accounturi=; validationmethods=http-01" IN CAA 0 issue "; accounturi=; validationmethods=http-01"

You usually want to specify a production and a staging account URI to ensure –dry-run works.

Prohibit issuance of a certificate:

; non-wildcard IN CAA 0 issue ";"

; wildcard IN CAA 0 issuewild ";"

Override policy for subdomain: IN CAA 0 issue "" IN CAA 0 issue ""

When issuing certificate for, a CAA record is searched for at,, and, in this order. The first policy found applies. 3

See also:


CAA and CNAME cannot coexist for a subdomain as CNAME will delegate CAA as well.



ISRG Root X1 is an RSA certificate. Consider using ISRG Root X2, ECDSA, in the future. See Certificates


Let’s Encrypt currently only honors accounturi and validationmethods on staging.


See Where to put the record