Convert manual to Webroot renewal

Hi @danb35 yes I wanted to use acme.sh but when I saw that they need the account API Key for the DNS it just seems impossible since my boss told me that he will not be giving me this credential and I had to find ways to Auto Renew the site without the Account API_KEY.

That leads me to think that WEBROOT will solve everything. But sadly as @sahsanu have mentioned that I can't auto renew it with a wildcard.

I really don't know now what step I should take to fix this kind of issue since account API_KEY is crossed out from the choices

@stevenzhu yes we are using GoDaddy but I think it needs the account API_KEY to access it right?

Then you could try to use cname methods to only cname _acme-challenge to another verification domain?

Try this https://github.com/joohoi/acme-dns/blob/master/README.md

Thank you

• Stop using a wildcard certificate
• Run your own acme-dns instance
• Tell your boss to stop being an idiot, and give you the tools you need to do your job. OK, you might want to rephrase that a bit...

Edit: OK, the last deserves a little bit of explanation. Automatic renewal of a wildcard cert requires that certbot (or whatever other client) be able to automatically update your DNS records. In order to do that, it must have the API_KEY. It is not possible to perform this task, using GoDaddy for your DNS hosting, without the API_KEY.

@danb35 I figured that will be the case and I already told him that having no API_Key will be impossible for the renewal since “I THINK” it needs some way to have authorization to verify that the DNS ownership.

For the wildcard certificate. The site requires a wildcard domain to cater other user just like a SAAS. I haven’t tried this acme-dns but will give this a try…

Really appreciate your quick reply on this. Been busting my head out trying to fix auto renewal with wildcard. Good thing I found this forum and it’s really a big help to clarify all questions in my head

@stevenzhu will check acme-dns hopefully this will solve the issue with auto-renewal using wildcards

It was a little tough to wrap my head around, so I started a thread for my questions--here it is in case it helps you:

Ok I browse on some of the comment and I think it needs to have access to the DNS server right? Like setting up the CNAME and all that?

seems this will also not work since I don’t have access to the DNS server panel in GoDaddy ( my boss is the only one who has access to this ). And it seems impossible to ask him to do this steps since he say’s “ITS MY JOB TO FIX THIS”.

Sorry for venting out my frustration here. I just don’t know how to work properly with only limited resources and access I have

Yes, you need access to the DNS server to create a CNAME for _acme-challenge.yourdomain.tld but you just need to create it once.

You boss is responsible to provide the right tools and access to be able to do your job. If there is no way to modify the DNS for the domain how did you create the right _acme-challenge TXT records to validate it and get your wildcard certificate?. If it was your boss who edited the DNS records then you should say to your boss that he/she will have to do it every 60-90 days or he/she should pay for a wildcard cert, whatever he/she prefers.

Good luck,
sahsanu

Yes he created it and I asked him to create it for me when I first setup the certificate. Already told inform him that TXT Value and renewal needs to be done every 90 days. But he was asking me to look for other ways to fix it without HIM to do the TXT Value changing every 90days.

Well anyway I guess I just have to let him know about this in a Nicer way for him to accept there are no other way to auto renew a certificate with wildcards.

Thanks all for the great support.

Note that the CNAME record would only need to be created once. It would point somewhere else and the different TXT records would be created there. Therefore, your boss wouldn’t have to do ongoing work to create the CNAME record if you find a plan that uses this method.

@schoen that seems to be ok i guess… Would need to understand this first on how to implement this. If it’s just a one time setup that it’s feasible that he can do it.

try our dns alias mode

@Neilpang I guess this can also be a solution but I need to ask first if we have a spare server that we can use as dummy

@sahsanu @danb35 do I need to install acme-dns on my server? as mentioned on their github? or can I not install it? Since server disk is only 300mb and it can’t cater another installation like GO

If you don’t want to use a DNS provider that offers you an API that you have credentials for, then you need to install acme-dns on a server that you control, since it’s an alternative to using a DNS provider’s API.

If you want to use a DNS provider that offers you an API that you have credentials for, then you don’t need to install acme-dns. This does not necessarily need to be your existing DNS provider, if you can create the CNAME record that I referred to before.

I see. Guess it makes sense… Will need to figure out how to make it work probably increase storage space.

Does Acme-dns realy requires GO to run? I saw the link from https://github.com/joohoi/acme-dns it needs to install go to download the file from https://github.com/joohoi/acme-dns can I just do git clone or something for this file?

Hi @ramzdam,

acme-dns developer (@joohoi) has a hosted acme-dns instance https://auth.acme-dns.io that you could use instead of installing your own self-hosted instance BUT keep in mind that:

1.- That instance could be down anytime, developer has no plans to get it down but it could happen.

2.- That instance could not be available because of maintenance or whatever.

3.- The db used could be nuked at any time because a new version is in place or because of...

4.- The hosted acme-dns provided by @joohoi is intended to be used for testing purposes not for production.

Said that, acme.sh client has a plugin for acme-dns that uses https://auth.acme-dns.io by default but the recommended way is to install your own instance of acme-dns.

This is what the developer says about his hosted acme-dns instance:

It doesn't need go to run but it needs it to compile acme-dns, so yes, you should install go, compile acme-dns and once compiled and installed you could remove go if you don't need it.

Edit: As @danb35 commented in below post (thanks), @joohoi provides compiled binaries for Linux (32 and 64 bits) so you won't need to install go nor compile acme-dns yourself if you don't want to do so.Link to the acme-dns release page.

If using acme-dns hosted instance and you can't install your own acme-dns instance, there are other alternatives, like using cloudflare because of their API to modify records plus acme.sh with its dns-alias (as mentioned by @Neilpang a few post ago) and dns_cf plugin.

The process would be similar as with acme-dns:

1.- Get a new domain, you could even get a free one from https://www.freenom.com

2.- Create a free account on cloudflare and add this new domain so DNS will be managed by them.

3.- Get you API credentials from cloudflare.

4.- Create CNAME record for your domain pointing to the new domain:
Example: _acme-challenge.yourdomain.tld CNAME _acme-challenge.newdomain.tld

5.- Use acme.sh client to get a certificate for your domain using dns-alias and dns_cf plugin (with the API credentials you got from cloudflare). Info and examples here DNS alias mode · acmesh-official/acme.sh Wiki · GitHub

Note: Using cloudflare is just an example, you could use any other dns provider supported by acme.sh dns plugins.

Good luck,
sahsanu

No, just to compile. There are compiled binaries available to download as well.

I don't think you can manage DNS for the free domains other than at freenom--at least, that's what I remember from when I had a domain there.