Automating SSL renewal using certbot-auto


Hi All,

I’ve recently renewed a wildcard SSL for my domain via the certbot-auto utility due to issues with the certbot package on my System. You can find the command that I ran & it’s output

sudo /path-to-/certbot-auto certonly --manual -d -d “*” --agree-tos --preferred-challenges dns-01 --server

Now I’m looking to automate its renewal every 90 days via a script that I’ll use via a crontab on my server to run at periodic intervals and I’ve a few questions regarding the same:

  1. Since I had to pass two flags in the domains on generation because a wildcard SSL doesn’t cover the root domain, I had to create two TXT records for LetsEncrypt validation. Is this necessary every time?

  2. Also, my DNS is managed via Cloudflare and after searching around, I found this post that has an embedded link to a blog post on how to proceed via API calls to most DNS providers create those TXT records & delete them as well. Is this the way to go when we renew the SSL via the above command in the certbot-auto utility or are there any other alternatives (read: easier)?

  3. The script in point 2 has two arguments that can be passed create OR delete but it seems as if only the former is explicitly defined. What actually happens when we issue the delete argument?

@_az @bmw @Osiris @schoen, I’d greatly appreciate if you guys could please take a moment to weigh in with your recommendations here.

Do let me know if I can provide any more information.

Thanks & cheers,


A.1: yes, at every renewal

A.2: you should follow that guide. Your own command at the top of this thread uses the manual plugin without renewal scripts. Without the renewal scripts, certbot will refuse to renew through cron when using the manual plugin, b/c cron can’t ask for manual input.

A.3 It is used in the --manual-cleanup-hook parameter.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.