Command for wildcard renewal with ZeroSSL client

wildcard certificate obtained fine with ZeroSSL Win32 client.

What is the command for renewal?
Do I still need to --handle-as dns or it will just use existing certificate with --crt ?

Would that work?

–key keys/account.key --email "" --crt c:\LetsEncrypt\domain_com.crt --domains “*” --generate-missing --api 2 --live --cert-path domain_com --renew 0



For the renewal with ZeroSSL you can always use the same command as for the initial issuance, with just one additional parameter --renew X (where X is the amount of days left before certificate expiration, when a renewal attempt should be made).

Since wildcards require DNS verification, neither --path nor --unlink parameters should be there, but --handle-as dns should.

But I would prefer if the renewal did NOT require any more --handle-as dns as that makes it impossible to run as scheduled task.
If it could use --crt instead it would be much more logical and easier

–crt points to already once created (and dns validated) wildcard certificate, there should be no need validate it again (as we doing it still withing that certificate validity period)

As to other switches, thanks, good to know


I’m not sure I understood what you were saying correctly, but renewal of a wildcard certificate always requires a new DNS validation, including posting new TXT records in the DNS zone. This is a requirement from the certificate authority side.

Pity, as that makes the process impossible being automated. Oh well, will have to live with it

Also --renew X makes no sense, as no certificate is actually checked, or am I wrong?

Some clients and some DNS providers support an API to perform DNS updates in order to do unattended renewals this way. For example and Certbot now support a number of these APIs. I'm not sure if any Windows-specific client yet does.

I do not think do support any API even if client did support it…

Do they let you create CNAME records? You can CNAME _acme-challenge to a resource on another nameserver that does have an API, and the CA validator will follow the CNAME when checking the challenge.

I do it for personal use, can live with doing it manually, thanks
I could always move domain hosting to somebody better…

Perl version of the client (which also works fine under Windows) can be extended rather easily to support some custom actions required for verification. That requires some programming knowledge though, but you can also resort to just executing an external command (as also referenced in the integration guide).

If your current DNS provider does not offer any API, you could in theory still set up some sort of automation (using some sort of headless browser or even the macro recorder to replay repetitive tasks), but of course just moving to another (more flexible) DNS hosting would be a better solution indeed.

1 Like

Actually the certificate is checked. The client is intended to be set up in a way that it can run daily but only attempt to renew when it is X (or fewer) days left until the expiration of the certificate. The certificate expiration is checked in two ways - either by looking at the local certificate file (if it is present) or by connecting (via HTTPS) to a domain the certificate is issued for and checking for the expiration that way.

1 Like

But not for wildcard certificate (as stated above -
a wildcard certificate always requires a new DNS validation, including posting new TXT records in the DNS zone )

In which case no certificate is checked, as there is no domain specified to connect to, unless --crt is specified on command line?


Not checked by the CA, checked by the client to determine if it’s expiring in the next 30 (by default) days and needs to be renewed, or not.

1 Like

Checked by client due to --crt switch?
Because surely not online, as there is nothing in command line to point it to any domain that would have this certificate

Yes. That’s just telling the client which certificate it’s renewing, so it knows what to replace and check for expiration on.

Thanks, that makes sense

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.