lets encrypt logo

This post describes how to download Let’s Encrypt SSL files onto your local machine using the certbot command line tool.

It assumes you have Docker installed. If you don’t, you can install certbot directly and adapt the instructions in this post accordingly.


  • Access to DNS settings for a domain <my-domain>, e.g. example.com
  • Local installation of Docker


Step 1

Set the directory that certbot will output the SSL files to inside the Docker container

export CERTBOT_DIR=/opt/certbot/my-output

and the directory where you would like the files to go on your local machine

export LOCAL_CERTBOT_DIR=/path/to/local/folder

Step 2

Run the certbot command via Docker to download the SSL files (including the certificate)

docker run --interactive --tty --volume $LOCAL_CERTBOT_DIR:$CERTBOT_DIR  \
certbot/certbot \
    -d <my-domain> \
    --manual \
    --agree-tos \
    --manual-public-ip-logging-ok \
    --email <my-email> \
    --logs-dir $CERTBOT_DIR \
    --config-dir $CERTBOT_DIR \
    --work-dir $CERTBOT_DIR \
    --preferred-challenges dns \

Step 3

After following the prompts, you will be instructed to deploy a DNS text record

Please deploy a DNS TXT record under the name _acme-challenge.<my-domain> with the following value:


Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue

Go into the DNS configuration of your domain registrar and create a new record

  • Type: TXT
  • Name: _acme-challenge
  • Value: <value>

Depending on your DNS provider, the name might be _acme-challenge or _acme-challenge.<my-domain> for Apex domains. If <my-domain> is a subdomain, e.g. www.example.com, the name could be _acme-challenge.www or _acme-challenge.www.example.com

Step 4

Verify the record has been added

dig -t txt _acme-challenge.<my-domain>

For example, dig -t txt _acme-challenge.www.example.com

(in the answer section, look for something like below)


_acme-challenge.<my-domain>. 300 IN TXT <value>

This can sometimes take a while, but once it’s done, press Enter

If successful, you will see something like

Congratulations! Your certificate and chain have been saved at:


Your key file has been saved at:


where fullchain.pem is the SSL certificate file and privkey.pem the SSL private key file.

Step 5

Check the SSL files are available locally

ls $LOCAL_CERTBOT_DIR/live/<my-domain>

(you might have to change to superuser first sudo su)