I run the following command for a lets encrypt certificat: sudo certbot -d sub-domain.com --manual --preferred-challenges dns certonly
The dns-challenge is essential in order to receive the certificate. After setting up everything (txt record, etc), it seems to work but i'll get this message:
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
I googled around but couldn't find an answer how to solve this. How kann i achieve autorenewal for this certificate? I mean sure, i can use --manual-auth-hook but what parameter/script should i enter afterwards?
The difficulty with --manual and manually editing DNS records, is that Certbot needs to be able to perform that same task automatically.
You need an authentication script which will automatically do the equivalent steps of logging into your DNS provider and adding the required TXT records, at every renewal.
Do you really need to use DNS validation? Sometimes, the answer is yes. But it's worth thinking about whether a simpler way to get a Let's Encrypt certificate.
If you are using DNS validation because you want a wildcard certificate, reconsider whether a non-wildcard certificate with multiple names on it would also work. They are much simpler to obtain.
Can you move to a DNS host for which an integration already exists in an ACME client, like Certbot or acme.sh or lego or something else?
The webserver is hosted behind a firewall and is only reachable with a specific ip address. So i guess, i need the dns challenge. What do you think?
I don't want or need a wild certificate. The certificate is for sub.domain.com and not *.domain.com or similar. My DNS provider is AWS (route 53).
It's weird, i remember doing the same for another services on my side. Again, dns host was route 53 and the webserver was behind a vpn. I did the same step with dns-challenge and i didn't get this autorenewal warning message.
I added this warning message to Certbot relatively recently (1.16, June 2020), because users keep stumbling upon this --manual autorenewal confusion, but only when their certificate was expired. It's possible you were using an older version of Certbot before.
So, this is convenient. You can use certbot-dns-route53 and everything will be automated.
If you installed Certbot using snap or pip, it will be simple to install the plugin. Not sure what distro you are using.
Did you install Certbot using apt, pip, or snap? How you should install the plugin will vary based on that.
You will first need to give your server either an IAM Role, or set up credentials, to give Certbot access to the Route53 APIs required. See the documentation.
I installed certbot like this sudo apt install -y Python-certbot-apache.
But before i setup the credentials/api stuff in route 53, another question: Is it possible to change the renewal time from 3 months to 12 months somehow with the command i used to create a certificate?
* Using the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
* Using a credentials configuration file at the default location, `~/.aws/config` .
* Using a credentials configuration file at a path supplied using the `AWS_CONFIG_FILE` environment variable.
Example credentials config file:[¶](https://certbot-dns-route53.readthedocs.io/en/stable/index.html#config-ini)
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
I installed sudo apt install python3-certbot-dns-route53 and created in route 53 my api keys. But what next? There is no ~/.aws/config, do i have to create this by myself with the given content and after that run
That's one of the three options. You can choose either one of the three options provided in the documentation.
Using a configuration file is probably the easiest way with regard to cronjobs or systemd timers. Note that it should be in the home directory of the user running Certbot, i.e., root (usually).
user@webserver:/var/www/webserver$ sudo certbot certonly --dns-route53 -d sub.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-route53, Installer None
Attempting to parse the version 1.26.0 renewal configuration file found at /etc/letsencrypt/renewal/sub.domain.com.conf with version 0.40.0 of Certbot. This might not work.
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sub.domain.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub.domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub.domain.com/privkey.pem
Your cert will expire on 2022-07-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
so i guess, that's it? Any chance to verify the autorenewal?
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-route53, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for sub.domain.com
Cleaning up challenges
Attempting to renew cert (sub.domain.com) from /etc/letsencrypt/renewal/sub.domain.com.conf produced an unexpected error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sub.doamin.com/fullchain.pem (failure)
What i did so far:
1. create api/secret api key in route 53`
2. mkdir ~/.aws
3. created file in ~/.aws called config with this content:
[default]
aws_access_key_id=my_key
aws_secret_access_key=my_secret_key
4. certbot certonly --dns-route53 -d sub.domain.com
In route 53 i see "last used: N/A" for this api key. API key is activated.