Automatically renew the certificate without control on domain DNS?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

I usually follow the step from the third to renew the certificate every 3 months

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

It produced this output:

The renewal is usually successful, I need some help to make it automatic also because I have a complicated situation.

My web server is (include version):

It's an AWS Lightsail instance with bitnami WP image.

The operating system my web server runs on is (include version):

Is it relevant?

My hosting provider, if applicable, is:

Self-hosted in AWS Lightsail instance with bitnami WP image.

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Until now I have been renewing the certificate every 3 months completing the DNS challenge. The problem is that we don't self-manage the DNS of the domain and I have to send the records to the IT support company and they will insert them. This process is a little bit long and annoying and I have to stay with the console hanging until they don't insert the first record so I can get the second for the challenge.

Is there a way to make it a little bit more automatic? At list on our side, for example a script that runs an email challenge so the IT support company receives the email with the link and the only thing they have to do is clicking it.

Thank you

Hi @y_chen, and welcome to the LE community forum

I don't think there is a simple way to automate this DNS request.
But, I do think there is a way to automate it none-the-less.
The obstacles are:

• bitnami
• WP [WordPress?]
• DNS-01 authentication
• AWS Lightsail

Start with these steps:

• install an ACME client locally [like: certbot]
• install the Route53 DNS plugin:
  [pip install certbot-dns-route53]
• ensure plugin can be used by certbot:
  certbot certonly --dns-route53 -d example.com

What about using the bncert tool in bitnami for automating your cert?

You don't use a wildcard cert so it should support that. Oops, turns out they were using a wildcard. If they don't need a wildcard this method could work.

This link looks like yours but is different. It also appears inside the page you linked to.

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-enabling-https-on-wordpress

Silly me, I presumed "DNS challenge" meant a wildcard cert was required.

Well, I missed one wildcard in the history (this one)

And, that domain (puck.io) uses this Let's Encrypt cert. So, bncert won't work if the wildcard is actually needed.

They also have this same wildcard cert issued by Amazon. So, maybe from using Cloudfront or ELB somewhere? (link here). Too bad they can't just use this.

Hi rg305, hi MikeMcQ,

thank you for your welcome.

I will try tackle all the points you brought up until now:

• WP: Yes, the website is made using WordPress, we don't manage directly, just provide the hosting.
• bitnami: we had to migrate the hosting from another company and since AWS was offering this type of solution, it was the quickest solution since no body in the team had experience in web hosting or WP
• DNS-01: I don't know what it means
• Lightsail should not be a big problem, in the end just gives us a VM to host the website
• Route53: the thing is that we don't directly manage the puck.io domain. The IT support does and not in our AWS account
• Wildcard: I am generating the certificate with wildcard but not really using it, at least in that hosted website

I thought that the easiest solution would be to use an email challenge instead of DNS, so the IT support receives it and ca click the link to confirm. In alternative ask them to let me access the portal where I can directly insert DNS records.

Let's Encrypt doesn't offer this type of authentication.
See: Challenge Types - Let's Encrypt (letsencrypt.org)
The easiest would be HTTP-01 authentication.

A less risky/complicated option for them is to delegate that single DNS entry to a name you control [using CNAME].

A less risky/complicated option for them is to delegate that single DNS entry to a name you control [using CNAME].

Hi @rg305 , what do you mean by that? Can I resolve the DNS challenges without having access to the root domain DNS?

I am renewing the certificate right now, so I run sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly, I asked the IT support to add a TXT record with name _acme-challenge.puck.io and I have to wait for them.

Is there a way I can configure our Route53 to solve the challenges in an independent way?

Thank you.

Yes; It requires having a CNAME request entered [once] into the zone where you want to get a cert for.
The challenge requests would go to their DNS and they would CNAME them to a DNS under your control.
From there you can integrate a Route53 plugin to validate their requests [from your DNS zone].

As explained, that is much less risky/complicated then giving you access to their DNS zone OR having to process the requests manually.

Yes; It requires having a CNAME request entered [once] into the zone where you want to get a cert for.
The challenge requests would go to their DNS and they would CNAME them to a DNS under your control.
From there you can integrate a Route53 plugin to validate their requests [from your DNS zone].

I am not really into DNS management, I thought something like this was possible only for subdomains. What should I tell the IT support company to configure this delegate? I usually give the the name, value, type and TTL of the record.

So something like

And then how should I configure our Route53?

The names are the other way around. Instead of your IT adding a TXT record for the name _acme-challenge.puck.io they create a CNAME for that name. And, the CNAME value is the new DNS name that you can update. It can be anything does not have to be a subdomain of puck.io. This "points" the original _acme-challenge name to the new name (or sometimes called delegating).

Example
_acme-challenge.puck.io 172000 CNAME challenge.ychen.io

Then, you run your Certbot --manual like before. But, you add the needed TXT records to challenge.ychen.io.

Certbot requests a cert for your original names. But, the Let's Encrypt Server will follow the CNAME to challenge.ychen.io and find the TXT records you put there.

Ah okay, maybe I understood how it works. So I tell the IT support to add

_acme-challenge.puck.io challenge.puck-service.com CNAME 172000

puck-service.com is another domain we have and we directly host the root zone in Route53.

So when I have to renew the certificate I run the same command as usual and add the TXT record

challenge.puck-service.com abc123 TXT 600

So Let's encrypt will query puck.io DNS for _acme-challenge.puck.io, it will be "redirected" to challenge.puck-service.com and find the TXT record for the validation.

Yes, it's something that we can do.

So I asked IT support to insert _acme-challenge.puck.io acme-challenge.puck-service.com CNAME 172000 and inserted the TXT record for the validation in puck-service.com DNS but I still can't renew the certificate:

My TXT records should be correct:

I noticed that when I query for acme-challenge.puck.io the CNAME is correctly resolved:

Does it mean IT support created a record for acme-challenge.puck.io instead of _acme-challenge.puck.io?

YES. To work as the dns challenge that name still must reflect what Lets Encrypt server will look at first

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.