Automatic renewal, DNS API access


#1

Today I used a script (dl.eff.org/certbot-auto) to install a wildcard certificate on my Raspberry Pi and that went without problems.

Unfortunately, from what I’ve read I have to manually recreate the TXT record for verification with every renewal, something I would like to be done automatically with a script.

Since I have API access, I wrote a PHP script that uses CMD_API_DNS_CONTROL to add a TXT DNS record using values entered in the URL to the PHP-script.
Unfortunately I have yet to figure out how to delete old TXT records that way. Apparently adding a TXT-record with the same name doesn’t overwrite the old one and the delete-examples I found were written for other types of records, I can’t get those to work…

Plus, how can I get the certbot-auto script to call the PHP-script? --help doesn’t show the options --manual-auth-hook and --manual-cleanup-hook, if those can’t be used, then what?


#2

Hi,

You should use manual-auth hook to run the script… (The script runs when need to validate / set records )

The manual clean up hook usually used when you need to remove the values from txt records…

Those hooks can be used, but only in manual mode… Hense it might not be listed.

Thank you


#3

It’s listed if you type ./certbot-auto --help manual


#4

Ah, I see them, thanks :slight_smile:

Now to figure out how to edit/delete/overwrite an existing TXT-record, adding one was easy, getting rid of it, not so much.

https://www.directadmin.com/features.php?id=504 and http://forum.directadmin.com/showthread.php?t=43100&p=218735#post218735 haven’t been of help, keep getting syntax related errors. Unfortunately sources for things like this are very hard to find.


#5

Since the dry run of certbot-auto ends successfully, it looks like that I’ve got 1 PHP and 2 Bash scripts working perfectly to do an automatic renewal :slight_smile:

There’s one thing I’m wondering about though. Is the name of the TXT-record always _acme-challenge.mydomainname.com, it’s just the value that’s different? Couldn’t find a variable with the TXT-records name in it, just the value, so I hardcoded the name.


#6

Yep, _acme-challenge is hard-coded in the ACME draft.

The only variation is that if you requested a certificate for www.example.org, then the validation record would be for _acme-challenge.www.example.org rather than just _acme-challenge.example.org.

https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks demonstrates how you can construct the DNS label you need to update:

CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"

#7

Okay :slight_smile:

I’m only interested in *.mydomainname.com, for www.mydomainname.com I currently don’t have to do anything because there’s already a Let’s Encrypt certificate on the webserver at the hoster. The wildcard-certificate is only being used within my network.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.