A how to setup to swap to wildcard on Centos7

This is a How to setup and swap to a wildcard cert on centos 7 with BIND and rfc2136 authenticator plugin

Start by reading the doc page at Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation

This setup assumes that you are running your own master nameserver using at least BIND 9.11 or above. A bug was fixed in that version forward which would cause dynamic updates to behave erratically or not complete or clean up without restarting BIND.

This is for CENTOS 7, RHEL 7 or FEDORA with BIND setup as /var/named using an Apache setup as /etc/httpd. These versions have a dynamic nameserver configured out of the box when you put the zone and key files in the /var/named/dynamic directory. It also assumes that you are running "views" - external and internal

The cPanel version of Centos 7 is really its own distribution and this does NOT cover cPanel because it has proprietary scripts which keep it running and interfere, the webserver is different and only cPanel personnel can support cPanel.

I would recommend a stripped VPS with Centos 7 and Webmin for a front-end or manual work in the file system with WINSCP, Putty and EditPadLite to edit files where Webmin tries also to do things you do not want or can't do with it.

This setup. uses a CNAME setup for an "_acme_challenge_yourdomain. tld. db" SOA (Start Of Authority) zone file that MUST be placed in the /var/named/dynamic directory. Obviously "yourdomain.tld" is the name of the domain you are configuring

Using the doc page above open a terminal window as root and change to the /var/named/dynamic directory and run the command to generate the key. I use Win SCP with Putty incorporated and EditPadLite, but you can use any method that you are comfortable with to then make named the owner and group and change the permissions to RW-R--R-- If you don't dynamic updates will fail.

Next you a create the credentials.ini file in the same directory or you can put it off in a hidden secrets directory similar to like the doc shows. The new doc page calls it the rfc2136.ini I used the private key. If you are hosting multiple domains you will need a separate credentials file for each one like credentials.ini and credentials2.ini et cetera with a new key for each. I use like an underscore and three letters in place of a number so I can tell which domain name is the one it belongs to. You can call the file rfc2136.ini or credentials.ini but be consistent. Running the keygen will change your "keyname." to Kkeyname." The period is critical - and keep it short under 8 characters.

Next edit the /etc/named.conf as the doc file shows and this sample example shows below. Use the same key

view "internal" {

zone "yourdomain.tld" {
type master;
file "/var/named/yourdomain.tld.db";
allow-transfer { your other nameserver ip; };

key "Kkeyname." {
algorithm hmac-sha512;
secret "31ZkmWg9jclR9kpxZziimTXhNhFLNpLH906jG4dEkxxxYbNl5LpPzzP0vDV0kzt0SabllEQg7pqCe8fcQu1t1Q==";

zone "_acme-challenge.yourdomain.tld" IN {
type master;
file "/var/named/dynamic/_acme-challenge.yourdomain.tld.db";
allow-transfer { your other nameserver ip; };
check-names ignore;
update-policy {
grant Kkeyname. name _acme-challenge.yourdomain.tld. txt;


view "external" {

zone "yourdomain.tld" {
type master;
file "/var/named/yourdomain.tld.db";
allow-transfer { your other nameserver ip; };

zone "_acme-challenge.yourdomain.tld" IN {
in-view "internal";


In the main zone file usually in the /var/named directory add this to the zone file as the last "IN" statement.

_acme-challenge.yourdomain.tld. 14400 IN CNAME yourdomain.tld.

This is what the SOA zone file looks like in the /var/named /dynamic directory. Name it

$TTL 86400 ; 1 day
_acme-challenge.yourdomain.tld IN SOA ns1.yourdomain.tld. no-reply.main.yourdomain.tld. (
2016122416 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
NS ns1.yourdomain.tld.
NS ns2.yourdomain.tld.
$TTL 14400 ; 4 hours
A your nameserver ip 1
A your nameserver ip 2
$ORIGIN _acme-challenge.yourdomain.tld.
localhost A

Restart named - assuming you did not miss any periods or syntax, it should restart

Now assuming you have setup your credentials file, and your system has the latest cerbot installed run the command below (assuming you put the credentials file in the directory /var/nameddynamic/.secrets )

certbot certonly --dry-run --cert-name yourdomain.tld --dns-rfc2136 --dns-rfc2136-credentials /var/nameddynamic/.secrets/credentials.ini -d "*.yourdomain.tld" -d yourdomain.tld --server https://acme-v02.api.letsencrypt.org/directory

You should get a response like this

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org

You are updating certificate yourdomain.tld to include new domain(s):

  • *.yourdomain.tld

You are also removing previously included domain(s):

Did you intend to make this change?

(U)pdate certificate/(C)ancel: U
Simulating renewal of an existing certificate for *.yourdomain.tld and yourdomain.tld
Performing the following challenges:
dns-01 challenge for yourdomain.tld
dns-01 challenge for yourdomain.tld
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges


  • The dry run was successful.

Using the --cert-name option is the only way to remove multiple server alias certs and upgrade to a wildcard cert instead without creating a new "-0001" directory and leaving the cert to expire where the bot will send expiry notices
If you trust the apache installer, and you are sure you have no existing SSL setup use the "-i apache" switch behind the --dry-run command See --cert-name vs --expand

once good to go change the "--dry-run" to "--force-renewal" to replace the existing cert with a wildcard cert and run it again and this time it will confirm the account and return:


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your certificate will expire on xxx-xx-xx. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again. To non-interactively renew all of your
    certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

If you already have the cert setup in a SSL.conf in apache - you only need to open the httpd.conf and ssl.conf and add a "ServerAlias *.yourdomain.tld" and restart httpd. It is saved to the existing cert directory and the path pointer to it knows no different except now it is a wildcard cert

If you have a cron job set to run "certbot renew" at least monthly it will keep your cert up to date

HOWEVER Centos 7 is still leaving the cleanup jnl file and sometimes the TXT entry - so you may need to run "rndc sync -clean" or build a shell script with certbot renew to run as the cron job to run it after updates

While the procedure is similar among all Linux type distros some do not have dynamic nameservers setup so it is a whole other animal to get those and the permissions working so the DNS-01 challenge can work, also other plug-ins are set up differently if you are using a commercial DNS service. Thus this is only for the narrow setup mentioned above to work exactly