### Step 3: Make your DNS server allows dynamic updates
You must prove you own the domains you want a certificate for, so Let's Encrypt
requires you host some DNS resource records.
This script will generate and write those DNS records to your DNS server by
use of DNS dynamic message updates.
So you have to configure your DNS server to allow dynamic DNS
updates and create a TSIG key which will give rights to perform updates.
The configuration of the script will need:
* the TSIG key name and value
* the algorithm used for TSIG key (hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 or hmac-512; list of algoithm depends on knowe ones by dnspython module)
* the DNS zone to update
* the address and the port of the DNS server
The simplest way to configure the script is to copy the `example.ini` file
from this repository and update values as needed.
**Be careful! Set read permissions correctly on the configuration file, because
it will contain the key authorized to modify your DNS configuration !**
### Step 4: Get a signed certificate!
Now that you have setup your server and generated all the needed files, run this
script on a computer containing your private account key, the CSR and the configuration.
```
python acme_dns_tiny.py example.ini > ./chain.pem
```
If every thing was ok, chain.crt contains your signed certificate followed by the
CA's certificate which signed yours.
### Step 5: Install the certificate
The certificate chain that is output by this script can be used along
with your private key to run any service on your server which need TSL encryption.
You need to include both in the TLS settings of your services.
### Step 6: Setup an auto-renew cronjob
Congrats! Your server is now using TLS! Unfortunately, Let's Encrypt
certificates only last for 90 days, so you need to renew them often. No worries!
It's automated! Just make a bash script and add it to your crontab (see below
for example script).
Example of a skeleton for `renew_cert.sh` script:
```sh
#!/bin/bash
# Configuration
# You should use another directory as /tmp could be destroyed regularly
WORKINGDIR="/tmp/acme-dns-tiny"
# Pre run script: configure a secure workspace using ACL POSIX