TLS Certificates

ACME - Certbot

Configuration via /etc/letsencrypt/cli.ini

Any global –some-option can be used in cli.ini by omitting the leading hyphens (–). To set an option for a specific certificate set the option on the respective config file in /etc/letsencrypt/renewal/.

Useful defaults:

email =
agree-tos = true

Change key type:

key-type = ecdsa
elliptic-curve = secp384r1

Alternative chains:

preferred-chain = ISRG Root X1

Specifying ISRG Root X1 will omit the expired root certificate included by default to support ancient versions of Android. [1]

See also:


The CAA DNS record type can be used to limit what CA can issue a certificate for a domain or subdomain.

Send reports about unauthorized request to issue a certificate to a specific mail address: IN CAA 0 iodef ""

Not all CAs support this.

Allow only Let’s Encrypt to issue certificates: IN CAA 0 issue ""

Only allow a certain validation method and specific accounts:

; Allow letsencrypt IN CAA 0 issue "; accounturi=; validationmethods=http-01" IN CAA 0 issue "; accounturi=; validationmethods=http-01"

You usually want to specify a production and a staging account URI to ensure –dry-run works.

Prohibit issuance of a certificate:

; non-wildcard IN CAA 0 issue ";"

; wildcard IN CAA 0 issuewild ";"

Override policy for subdomain: IN CAA 0 issue "" IN CAA 0 issue ""

When issuing certificate for, a CAA record is searched for at,, and, in this order. The first policy found applies. [2]

See also:


CAA and CNAME cannot coexist for a subdomain as CNAME will delegate CAA as well.