You write:
quote="_az, post:8, topic:128606"] webroot and nginx cannot be used for wildcard certificates. You must use the DNS Made Easy plugin, or otherwise --manual with an authentication hook/script (automatic renewal), or without (no automatic renewal).
[/quote]
I issued a wildcard with the manual and nginx plugin ( certbot run -a manual -d *.angelluc.be -d angelluc.be -i nginx) for which I had to issue a DNS TXT entry and a file in the webroot, can I and if yes how can I update that to automatic renewal with an authentication hook/script (automatic renewal)? How does such a script look like?
I have moved your post to a new thread, as it is a separate issue.
In order to automatically renew your wildcard certificate, the authentication hook would need to deploy the TXT record to your nameservers (rzone.de ones) at every renewal somehow.
I am not familiar with your DNS host, so I don’t know whether it’s possible. Often DNS hosts provide some kind of HTTP API or ability to use nsupdate to do so.
If you could instead create a non-wildcard certificate (like angelluc.be+www.angelluc.be+whatever.angelluc.be), that would be easier to automatically renew. However, if you really do need a wildcard, then your authentication hook would need some way to integrate with your rzone.de DNS hosting.
Thank you for your quick response. Is it easier to, as you said issue a non-wildcard certificate, and if I create a subdomain issue a certificate for that subdomain separately?
No, not if you use the http-01 challenge (which is used by the --nginx option). The renewal option will issue a new certificate for you with the exact same list of hostnames (which is called a "renewal"), put it in the same directory as the old one in /archive/ and will update the symbolic links in /live/ to link to the newly issued certificate. Nothing is deleted, only added and updated.
If you want to add more hostnames to the certificate, you can use the --expand option: use the same command you've used to issue your previous certificate, but now add --expandand the new hostname with an extra -d option.
Thank you Osiris.
Still not clear because the original issued certificate was with the plugin manual (certbot run -a manual -d *.angelluc.be -d angelluc.be -i nginx) which makes auto renewal difficult so I only want to use nginx this time so when I use renewal does it override it from manual to only nginx?
@Angelluc I’m not entirely sure if you can just run certbot renew --nginx for example. If you want to change from --manual to --nginx, I would advice to follow the next steps, just to be sure:
run certbot certificates and notice the certificate name and hostnames included in the certificate
run certbot again for those hostnames, but to make sure certbot doesn’t generate a new certificate along side the already existing one, use --cert-name thecertnameyoufoundearlier and --nginx. For example, if your cert was called example.com and the hostnames included were foo.example.com and bar.example.com, you would run: certbot --nginx --cert-name example.com -d foo.example.com -d bar.example.com
Now you should be able to run certbot renew in the future!