Certbot - DNS Challenge Guide

shaneoh · May 2, 2017, 10:40am

I have a few websites which are not publicly available and are used for internal company business only. We have recently started to move everything over to Let’s Encrypt.

I’m struggling to find a definitive answer to this question online: is it possible to automatically renew certs which do not have public http/https? I have seen reference to using the DNS-01 method, but from what I can tell this is not supported by the official cerbot client.

All I want to do is renew certs without having to change my firewall settings each time I do it (as this means it needs to be done manually). Can anyone recommend the best way to do this (and ideally some kind of tutorial?).

ahaw021 · May 2, 2017, 12:58pm

@shaneoh

I have seen reference to using the DNS-01 method, but from what I can tell this is not supported by the official cerbot client.

Hmmmmmmm

https://certbot.eff.org/docs/using.html

There are several references to how to use DNS challenge

Andrei

jmorahan · May 2, 2017, 2:27pm

It’s supported, but not very comprehensively. You would likely have to write your own scripts to interact with your DNS provider’s API.

You might find it easier to use acme.sh or one of the other bash clients, which come with built-in support for several popular DNS providers.

shaneoh · May 11, 2017, 7:18am

Thanks - using acme.sh works, but it’s far from ideal. The reason is we like to run everything like this through Jenkins so we have visibility over everything rather than having server side processes which we don’t necessarily see if they fail. In this case, if the cert isn’t due for renewal then the job is marked as unstable because the renewal command fails. That means to keep it clean I need to use the --force flag on the renewal, which means it renews every time the job runs (currently fortnightly). That’s fine for now but isn’t scalable because of the cert per domain limits from Lets Encrypt.

With the certbot we could run the job weekly and if the cert wasn’t due, the job is still stable.

jmorahan · May 11, 2017, 8:28am

Hmm, I don’t think that should happen. What actual command are you running via Jenkins? AFAIK it marks the build as unstable if it gets a nonzero error code, and acme.sh’s default cron command returns zero for me.

shaneoh · May 11, 2017, 8:56am

The code I am running is:

/home/jenkins/.acme.sh/acme.sh --renew -d mydomain.com --force

I found the full path was needed and it had to be in the home directory for the jenkins user, or the job would fail because it didn't recognise the acme.sh command - although when running it manually on the box it was recognised which I couldn't understand.

jmorahan · May 11, 2017, 2:39pm

I'm using --cron rather than --renew and it works as expected; --renew seems to work differently, in that it returns 0 for successful renewal, 1 for error or 2 if no renewal was needed. I guess you could catch that case with something like this:

/home/jenkins/.acme.sh/acme.sh --renew -d mydomain.com || [[ "$?" -eq 2 ]]

or just use --cron if that suits your needs.

The acme.sh installer adds an include to your .bashrc which sets up an alias; I guess this is not used by Jenkins. If you used the installer, note that it also sets up its own cron job which you may want to remove if you're using Jenkins instead.

shaneoh · May 11, 2017, 2:48pm

OK, great - thanks for both pieces of advice. I’ll give this a go when I get a bit more time.

system · June 10, 2017, 2:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Automate renew using certbot with dns-01 for firewalled host Help	6	2715	November 12, 2017
Certbot manual with certonly Help	6	3126	October 5, 2022
Already have a cert for our domain name but need one for an internal server Help	2	1017	August 4, 2017
Using Certbot and DNS01 Help	3	1943	March 17, 2019
DNS Challenge - multiple servers/auto renew Help	2	223	July 20, 2024

Certbot - DNS Challenge Guide

Related topics