Generating web SSL certificates

Domain Validated

Fully automated process solely based on DNS / infrastructure challenges.

Organization Validated

Checking organization in question.

Extended Validation

Additional checks i.e. telephone based verification.

provider "acme" {
  server_url = ""
resource "tls_private_key" "private_key" { algorithm = "RSA" }
resource "acme_registration" "reg" {
  account_key_pem = tls_private_key.private_key.private_key_pem
  email_address   = ""
resource "acme_certificate" "certificate" {
  dns_challenge { ... }

resource "acme_certificate" "certificate" {
  dns_challenge {
    provider = "route53"

acme DNS provider list:

  • acme-dns

  • alidns

  • ...

  • rfc2136

  • ...

  • zonomi

dns_challenge {
  provider = "rfc2136"

  config = {
    RFC2136_NAMESERVER     = ""
    RFC2136_TSIG_ALGORITHM = "hmac-sha512"
    RFC2136_TSIG_KEY       = "goik.key."
    RFC2136_TSIG_SECRET    = file("../dnsupdatetoken.key")

... updating zone '': 
  deleting rrset at '' TXT
... updating zone '': 
    adding an RR at '' TXT 
... deleting rrset at ... TXT
... adding an RR ... TXT "eJckWl2F43nsf27bzVOjcrTGp_VFeCj2qTVM5Uodg-4"
... deleting an RR at TXT
... updating zone ... deleting an RR ... TXT

exercise No. 13

Creating a web certificate



During configuration always use the staging URL rather than for generating certificates. There are rate limits!

As an example we assume your group has write privileges to a zone Follow the acme_certificate documentation using Figure 1032, “rfc2136 provider configuration ” as your DNS provider creating a wildcard certificate for:

  • The zone apex



The subject_alternative_names attribute is your friend. Later webserver certificate installation requires two files:

  • Private key file e.g. private.pem.

  • Certificate key file e.g. certificate.pem.

Use resource "local_file" ... for generating this key pair in a sub folder gen of your current project.


Due to a DNS provider related issue you must use at least acme provider version v2.23.2. You are best off not specifying any version at all receiving the latest release automatically:

terraform {
  required_providers {
    hcloud = {
      source = "hetznercloud/hcloud"
    acme = {
          source  = "vancluever/acme"
  required_version = ">= 0.13"

exercise No. 14

Testing your web certificate


Create a host among with three corresponding DNS entries:




Your Terraform setup shall contain the following allowing for an arbitrary number of DNS names:

dnsZone       = ""
serverNames   = ["www", "cloud"]

Install the Nginx web server. Modify the Nginx configuration to accept https requests using the certificate being generated in Creating a web certificate .


The Nginx default configuration already contains a self signed certificate being referred to by /etc/nginx/snippets/snakeoil.conf. In /etc/nginx/sites-available/default all SSL supporting statements are yet being commented out:

# SSL configuration
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
# include snippets/snakeoil.conf;

After modifying the above configuration check for correctness:

root@www:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Correct any misconfiguration issues before restarting Nginx:

systemctl restart nginx

Your current staging certificate will cause warnings. Point your browser to, and anyway. Overrule certificate related warnings to actually see the three pages. Inspect the certificate. You should find and *

If your certificate is basically alright re-generate it this time using the production setting in Creating a web certificate . Don't forget reverting back to staging after completion. You may regret it!

Copy the generated certificate to your server again. This time your browser should present a flawless view with respect to the underlying certificate for all three URLs.

exercise No. 15

Combining certificate generation and server creation


Combine Creating a web certificate and Testing your web certificate into one Terraform configuration.