DEV Community

Carrie
Carrie

Posted on

How to Configure a Let's Encrypt Certificate on Microsoft DNS in SafeLine

#certificate #dns #microsoft #webdev

Introduction

When deploying SafeLine WAF in production, enabling HTTPS is essential to protect your applications and user data.

Let’s Encrypt provides free, automated SSL/TLS certificates, and SafeLine supports integration via the ACME protocol.

If your domain is managed by Microsoft DNS (commonly on Windows Server), you can still issue and renew Let’s Encrypt certificates. This guide explains how to configure it step by step.

Prerequisites

Before starting, make sure you have:

  • A working SafeLine WAF instance
  • Administrative access to your Windows Server running Microsoft DNS
  • A domain name already pointing to your SafeLine server
  • Internet connectivity from your SafeLine host

Step 1: Understand the Challenge Type

Let’s Encrypt validates your domain using either:

  • HTTP-01 challenge (default, requires port 80/443 access)
  • DNS-01 challenge (requires creating TXT records in your DNS zone)

When using Microsoft DNS, the DNS-01 challenge is recommended, because it works reliably even if HTTP traffic is filtered by SafeLine. But SafeLine currently doesn't support DNS-01 challenge yet.

Step 2: Locate the SafeLine Certificate Settings

On your SafeLine server:

  1. Go to the Admin Console (https://<your-safeline-domain>:9443/).
  2. Navigate to Settings → SSL Cert → Add Cert.
  3. Choose Get free cert.

SafeLine will provide you with the exact ACME challenge values that need to be placed in your DNS records.

Step 3: Create a DNS TXT Record in Microsoft DNS

On your Windows Server running DNS Manager:

  1. Open DNS Manager (dnsmgmt.msc).
  2. Select your domain zone (e.g., example.com).
  3. Create a new TXT record.
  4. Enter the record name and value shown in SafeLine, for example:

Record Name: _acme-challenge.example.com
Record Type: TXT
Value: “random-token-provided-by-safeline”

  1. Save the record.

💡 Tip: Use nslookup -type=TXT _acme-challenge.example.com to verify that the record has propagated correctly.

Step 4: Validate and Issue the Certificate

Go back to the SafeLine Admin Console and continue the Let’s Encrypt setup.

SafeLine will query Let’s Encrypt to validate your domain via the DNS TXT record you created.

If the validation is successful, the certificate will be issued and automatically applied to your SafeLine instance.

Step 5: Automate Renewal

Let’s Encrypt certificates are only valid for 90 days. SafeLine automatically handles renewals as long as:

  • The DNS TXT record remains valid.
  • The SafeLine server can reach Let’s Encrypt services.

You do not need to repeat the manual setup unless your domain or DNS provider changes.

Troubleshooting

  • Validation fails: Check that the TXT record is correct and publicly resolvable. Use: 
nslookup -type=TXT _acme-challenge.example.com
Enter fullscreen mode Exit fullscreen mode
  • Propagation delay: Some DNS changes take time to update globally. Wait a few minutes and retry.
  • Conflicts with other services: Ensure your domain resolves to your SafeLine server correctly.

Conclusion

By following these steps, you can successfully configure a Let’s Encrypt certificate with Microsoft DNS in SafeLine WAF.
This ensures encrypted communication for your applications, with automated renewals and minimal maintenance.

Top comments (0)