Automatic renewal of --manual wildcard certificate

Hello @_az

You write:
quote="_az, post:8, topic:128606"]
webroot and nginx cannot be used for wildcard certificates. You must use the DNS Made Easy plugin, or otherwise --manual with an authentication hook/script (automatic renewal), or without (no automatic renewal).

I issued a wildcard with the manual and nginx plugin ( certbot run -a manual -d * -d -i nginx) for which I had to issue a DNS TXT entry and a file in the webroot, can I and if yes how can I update that to automatic renewal with an authentication hook/script (automatic renewal)? How does such a script look like?

I have moved your post to a new thread, as it is a separate issue.

In order to automatically renew your wildcard certificate, the authentication hook would need to deploy the TXT record to your nameservers ( ones) at every renewal somehow.

I am not familiar with your DNS host, so I don’t know whether it’s possible. Often DNS hosts provide some kind of HTTP API or ability to use nsupdate to do so.

If you could instead create a non-wildcard certificate (like, that would be easier to automatically renew. However, if you really do need a wildcard, then your authentication hook would need some way to integrate with your DNS hosting.

Thank you for your quick response. Is it easier to, as you said issue a non-wildcard certificate, and if I create a subdomain issue a certificate for that subdomain separately?

You can issue one certificate with upto 99 subdomains, if you want.

certbot --nginx -d -d \
-d -d

Or separate certificates, if that fits you better.

certbot --nginx -d
certbot --nginx -d


Or can I just add the subdomain to the certificate the moment I have created it?

Haha same time, thx great!

Oh and can I just renew the certificate by using the “renew” flag or do I need to delete the old one and then create the new one?

No, not if you use the http-01 challenge (which is used by the --nginx option). The renewal option will issue a new certificate for you with the exact same list of hostnames (which is called a “renewal”), put it in the same directory as the old one in /archive/ and will update the symbolic links in /live/ to link to the newly issued certificate. Nothing is deleted, only added and updated.

If you want to add more hostnames to the certificate, you can use the --expand option: use the same command you’ve used to issue your previous certificate, but now add --expand and the new hostname with an extra -d option.

Thank you Osiris.
Still not clear because the original issued certificate was with the plugin manual (certbot run -a manual -d * -d -i nginx) which makes auto renewal difficult so I only want to use nginx this time so when I use renewal does it override it from manual to only nginx?

@Angelluc I’m not entirely sure if you can just run certbot renew --nginx for example. If you want to change from --manual to --nginx, I would advice to follow the next steps, just to be sure:

  • run certbot certificates and notice the certificate name and hostnames included in the certificate
  • run certbot again for those hostnames, but to make sure certbot doesn’t generate a new certificate along side the already existing one, use --cert-name thecertnameyoufoundearlier and --nginx. For example, if your cert was called and the hostnames included were and, you would run: certbot --nginx --cert-name -d -d

Now you should be able to run certbot renew in the future!

1 Like

Goodday @Osiris,

I performed what you suggested and indeed in this way the certificate could be updated easily.
Thank you!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.