Automatic renewal of --manual wildcard certificate

Hello @_az

You write:
quote="_az, post:8, topic:128606"]
webroot and nginx cannot be used for wildcard certificates. You must use the DNS Made Easy plugin, or otherwise --manual with an authentication hook/script (automatic renewal), or without (no automatic renewal).
[/quote]

I issued a wildcard with the manual and nginx plugin ( certbot run -a manual -d *.angelluc.be -d angelluc.be -i nginx) for which I had to issue a DNS TXT entry and a file in the webroot, can I and if yes how can I update that to automatic renewal with an authentication hook/script (automatic renewal)? How does such a script look like?

I have moved your post to a new thread, as it is a separate issue.

In order to automatically renew your wildcard certificate, the authentication hook would need to deploy the TXT record to your nameservers (rzone.de ones) at every renewal somehow.

I am not familiar with your DNS host, so I don’t know whether it’s possible. Often DNS hosts provide some kind of HTTP API or ability to use nsupdate to do so.

If you could instead create a non-wildcard certificate (like angelluc.be+www.angelluc.be+whatever.angelluc.be), that would be easier to automatically renew. However, if you really do need a wildcard, then your authentication hook would need some way to integrate with your rzone.de DNS hosting.

Thank you for your quick response. Is it easier to, as you said issue a non-wildcard certificate, and if I create a subdomain issue a certificate for that subdomain separately?

You can issue one certificate with upto 99 subdomains, if you want.

certbot --nginx -d angelluc.be -d www.angelluc.be \
-d third.angelluc.be -d fourth.angelluc.be

Or separate certificates, if that fits you better.

certbot --nginx -d angelluc.be
certbot --nginx -d second.angelluc.be

etc

Or can I just add the subdomain to the certificate the moment I have created it?

Haha same time, thx great!

Oh and can I just renew the certificate by using the “renew” flag or do I need to delete the old one and then create the new one?

No, not if you use the http-01 challenge (which is used by the --nginx option). The renewal option will issue a new certificate for you with the exact same list of hostnames (which is called a “renewal”), put it in the same directory as the old one in /archive/ and will update the symbolic links in /live/ to link to the newly issued certificate. Nothing is deleted, only added and updated.

If you want to add more hostnames to the certificate, you can use the --expand option: use the same command you’ve used to issue your previous certificate, but now add --expand and the new hostname with an extra -d option.

Thank you Osiris.
Still not clear because the original issued certificate was with the plugin manual (certbot run -a manual -d *.angelluc.be -d angelluc.be -i nginx) which makes auto renewal difficult so I only want to use nginx this time so when I use renewal does it override it from manual to only nginx?

@Angelluc I’m not entirely sure if you can just run certbot renew --nginx for example. If you want to change from --manual to --nginx, I would advice to follow the next steps, just to be sure:

  • run certbot certificates and notice the certificate name and hostnames included in the certificate
  • run certbot again for those hostnames, but to make sure certbot doesn’t generate a new certificate along side the already existing one, use --cert-name thecertnameyoufoundearlier and --nginx. For example, if your cert was called example.com and the hostnames included were foo.example.com and bar.example.com, you would run: certbot --nginx --cert-name example.com -d foo.example.com -d bar.example.com

Now you should be able to run certbot renew in the future!

1 Like

Goodday @Osiris,

I performed what you suggested and indeed in this way the certificate could be updated easily.
Thank you!

Luc

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.