Automatic renewal hooks for Freemyip.com

I want to be able to renew my certificate for the domain and the level under (wildcard) for the service Freemyip.com

Two problems that I face which I don't know how to tackle.

  1. Let's encrypt sends the challenges for all the subject names and certbot demands the TXT to be done for all domains that are requested before validating them.

  2. Freemyip only allows one single TXT record for each domain at a time. Hence Certbot/Let's Encrypt fails to complete the challenges.

So if I want automatic renewal for *.domain.freemyip.com and domain.freemyip.com the challenges fail due to my authenticator hook updating the TXT record a second time before certbot/Let's encrypt can confirm it. For both domains Let's encrypt asks for a TXT record at _acme-challenge.domain.freemyip.com

I've already confirmed that it works if I only request the renewal for one domain. Would be nice to skip having to do this every third month manually. Any ideas as to how I can achieve that?

I have already tried http-challenge and I guess it makes sense, but then Let's Encrypt says it won't accept that. And I've tried turning off --preferred-challenges but it seems to really like using mainly the TXT-confirmation method.

Welcome to the community @MiyasakiYoshi

A DNS Challenge is required for a wildcard cert. One option is that if you don't absolutely need a wildcard you could use the HTTP Challenge. A cert can have up to 100 domain names in it.

As for your one TXT record at a time problem, two options come to mind:
One, use a different DNS provider that supports what you want to do

Two, run Certbot twice. The first time just request one name. When successful Let's Encrypt caches the successful result for that domain and your account. Then, the second run do both domain names. But, make sure your authenticator hook only does the one TXT record for the second name. The cached result and the TXT record should allow a cert with both domains. I'm pretty sure this would work.

4 Likes

Two more options:

  1. Pick an ACME client which submits challenges one-by-one. lego is one that does this, and supports freemyip.com.
  2. You can actually mix challenge types in Certbot's manual authenticator. If your webserver is accessible from the internet, you can get Certbot to use the HTTP challenge for the base domain, and the DNS API for the wildcard. I had a go at writing such a hook below, it seems to work fine and should work fine for automatic renewal as well.

You can call it with:

certbot certonly --preferred-challenges http,dns --manual \
--manual-auth-hook "/path/to/freemyip.sh auth" \
--manual-cleanup-hook "/path/to/freemyip.sh cleanup" \
-d certbot-test.freemyip.com -d "*.certbot-test.freemyip.com"

Make sure to chmod +x the script. The contents are below, you'll need to modify the token and the webroot of your domain:

#!/usr/bin/env bash

FREEMYIP_TOKEN="your-freemyip-token"
WEBROOT_DIRECTORY="/path/where/your/website/files/are"

auth() {
    shift
    if [[ -v CERTBOT_TOKEN ]]; then
        mkdir -p "$WEBROOT_DIRECTORY/.well-known/acme-challenge/"
        echo "$CERTBOT_VALIDATION" > "$WEBROOT_DIRECTORY/.well-known/acme-challenge/$CERTBOT_TOKEN"
    else
        curl -s "https://freemyip.com/update?token=$FREEMYIP_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&txt=$CERTBOT_VALIDATION"
        sleep 60
    fi
}

cleanup() {
    shift
    if [[ -v CERTBOT_TOKEN ]]; then
        rm -f "$WEBROOT_DIRECTORY/.well-known/acme-challenge/$CERTBOT_TOKEN" || true
    else
        curl -s "https://freemyip.com/update?token=$FREEMYIP_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&txt="
    fi
}


declare -A COMMANDS=(
    [auth]=auth
    [cleanup]=cleanup
)

"${COMMANDS[${1:-auth}]:-${COMMANDS[auth]}}" "$@"
6 Likes

Amazing help. Way better than my script. I was thinking of exactly such a solution, but gave up the idea thinking certbot wouldn't allow automatic renewal with both http and dns. Genius.

Thank you so much! The dry-run was succesful!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.