Getting certificates

Get a token that can do this

Head to the desec-zones repository, and create a token that has the rights to the right records.

Write the token in a secure place

sudo mkdir -p /etc/letsencrypt/secrets
sudo chmod go-rwX /etc/letsencrypt/secrets
echo "dns_desec_token = $TOKEN" | sudo tee /etc/letsencrypt/secrets/desec.ini >/dev/null
sudo chmod 0600 /etc/letsencrypt/secrets/desec.ini

Run certbot to get a valid certificate

sudo certbot certonly \
             --no-eff-email --agree-tos \
             -m flosstools-admins+certificates@lists.flosstools.org\
             --key-type ecdsa \
             --authenticator dns-desec \
             --dns-desec-credentials /etc/letsencrypt/secrets/desec.ini \
             --dns-desec-propagation-seconds 120 \
             -d $DOMAIN -d $OTHERDOMAIN

Depending on your webserver, you can user either certonly or run --installer nginx that will rewrite the configuration files for that domain for you.

A practical alias to setup (in ~/.bash_aliases) is:

alias certbot_desec="sudo certbot certonly --no-eff-email --agree-tos -m flosstools-admins+certificates@lists.flosstools.org --key-type ecdsa --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/secrets/desec.ini --dns-desec-propagation-seconds 120"

… so that you can just:

$ certbot_desec -d $DOMAIN