Changing renewal process

ddougan · December 31, 2020, 6:03pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

douganconsulting.com

I ran this command:

certbot-auto certonly --manual --preferred-challenges dns-01 -d *.douganconsulting.com

It produced this output:

It worked as expected.

My web server is (include version):

Apache 2.4.37

The operating system my web server runs on is (include version):

CentOS 8

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.10.1

As noted above, I have been using the --manual option on this server (acting as a proxy, as I have several Web sites and subdomains hosted on my office LAN). While this works, it is not something I can automate. I've read the various posting and articles I can find but I'm not getting what I am looking for - which is a way to renew the certs automatically via a cron job. Can anyone point me to a way to amend what I have in place? I think, from what I understand from this site, that using the wildcard is not a good idea in terms of automation. Am I reading that correctly?

Thanks,

Des

griffin · December 31, 2020, 6:26pm

Hello Des

While dns-01 challenges (which are required for wildcard domain names) can be automated, making that happen can be far more complex than by simply using http-01 challenges.

Since you appear to be using a reverse proxy (with everything behind the reverse proxy being local), I recommend terminating SSL/TLS and serving all of the certificates via SNI at the reverse proxy. By the way, certbot-auto is deprecated and may cause you headaches going forward.

certbot-auto run -a apache -d "douganconsulting.com,www.douganconsulting.com" -i apache --keep

sahsanu · December 31, 2020, 6:19pm

Hello @ddougan,

I'm leaving right now so my response will be short.

Seems you are using zoneedit as your dns provider and I'm afraid zoneedit doesn't provide an API to create/modify/etc. the DNS records so seems you can't automate it, at least not in an easy way.

Also, as zoneedit doesn't provide an api, there isn't certbot plugins to automate the DNS validation, not even in acme.sh client and it has tons of dns plugins.

You could move your dns to cloudflare for example, it is free and certbot provides a plugin to automate it.

There are other options like use dns alias mode so if you can't or simply don't want to change your dns provider we could use those other options.

I'm sorry but family is waiting for me

Happy New Year!

Cheers,
sahsanu

ddougan · December 31, 2020, 9:38pm

Thanks, Griffin. I had no clue that certbot-auto had been deprecated - I'll look at snap now that I know about it. I'll also look at SNI on my Apache configuration - many thanks for your assistance.

Des

ddougan · December 31, 2020, 9:40pm

Hi Sahsanu,

Thanks the the ideas. I've been happy with ZoneEdit for a long time, but it may be time for a new provider based on the lack of API.

Happy New Year!

Regards,

Des

Osiris · January 1, 2021, 10:19am

You can also delegate the ACME DNS challenge to another domain through CNAME records or even to a whole different DNS server with NS records. It might be possible to keep your main DNS stuff @ ZoneEdit and only put the ACME bit at for example CloudFlare or another API providing DNS service. You might also look at acme-dns which is build for exactly this purpose (mainly for security reasons).