Skip to content
Let's Encrypt encourages the use of certbot to automate certificate renewal, but that tool generates a new CSR every time. That makes DANE with TLSA difficult, so this set of scripts automates the renewal of consistent CSRs with certbot so systems administrators can choose when to generate a new CSR and update their DNS records in anticipation.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Read the article about this script on the Flipping Binary website.


Modify these steps and the scripts as necessary for your distribution. The steps have been tested only on Ubuntu 16.04 servers.

  1. Change ownership and permissions of the script files
  $ sudo chown root:root letsencrypt-*
  $ sudo chmod +x letsencrypt-*
  1. Change the settings in letsencrypt-tlsa file, especially the EMAIL setting!
  $ sudo nano letsencrypt-tlsa
  1. Move the letsencrypt-tlsa file to /etc/default so it is accessible by the other scripts and easy to edit.
  $ sudo mv letsencrypt-tlsa /etc/default
  1. Move letsencrypt-autorun to /etc/cron.weekly
  $ sudo mv letsencrypt-autorun /etc/cron.weekly
  1. Move the rest to /usr/local/sbin
  $ sudo mv letsencrypt-* /usr/local/bin


  1. Generate a key pair and Certificate Signing Request (CSR). This script does not limit the number of domain names, but attempting to generate one certificate for dozens of domains at a time might fail. The first listed domain is primary and needs to be listed first for each command in this set of tools. Using and as an example:
  $ sudo letsencrypt-generate
  1. Request a signature from Let's Encrypt. Using and as an example both of these commands do the same thing (note the primary domain is listed first and is the only one that matters):
  $ sudo letsencrypt-request
  $ sudo letsencrypt-request
  1. Check the hash of the signed certificate. You can list secondary domains along with the primary domain, but the hash will be the same for each. The important part includes and follows the 3 1 1 which makes up your TLSA record. Using and as an example:
  $ sudo letsencrypt-hash
  1. Publish the TLSA records with your DNS provider.

  2. Install the new certificates. This command will create a symlink in a consistent location (defaulting to /etc/ssl/letsencrypt/live/<domainname>) to the latest signed certificate for the primary domain. Using and as an example, both of these commands do the same thing (note the primary domain is listed first and is the only one that matters):

  $ sudo letsencrypt-install
  $ sudo letsencrypt-install
You can’t perform that action at this time.