This gave me my _acme-challenge key which I have updated my DNS with and done the necessary to import the cert into the application I am using (Unifi).
My question is if I want to the cert to another server what command would I need to run?
Secondly is there a way to autorenew using DNS challenge using a cronjob or do I need to use another utility, I am struggling to confirm what is needed?
At the minute I have 80 and 443 open but I want to close that and going forward as we migrate our network that will not be an option so DNS challenge is what I am going to need.
With have 80 and 443 open there is currently a cronjob running which auto renews, is there a way to that to using DNS challange or so I start from scratch on that one?
Sorry for the all the questions but I am struggling to find a clear answer on the questions asked.
Run the same command as before with the other domain name. You can include more than one name in a cert by repeating the -d clause or use a comma-delimited list.
As an aside, example.com is preferred to domain.com as the latter is a valid domain whereas example is designed for such a purpose.
Yes but it requires your DNS provider to offer an API to update the TXT record. Certbot has support for various DNS providers (see its docs). Or, use a --pre-hook and --post-hook to code one yourself. Other ACME Clients have support for more DNS providers (like lego or acme.sh).
If you have an API you create the cert as you show and then schedule sudo certbot renew as a cronjob or systemd timer to run (usually) twice / day. Such a renew may have already been setup during the install for Certbot. Again, see the docs for Certbot the section on automating renewals.
If you have port 80 and/or 443 open you can use an HTTP (80) or TLS-ALPN (443) challenge. Those must have a service that replies to the inbound request. A DNS Challenge works only through the public DNS. An HTTP Challenge is the easiest to automate and TLS-ALPN requires support by your ACME Client (Certbot does not support it).
Some people use the --pre-hook and --post-hook to open/close port 80. Or, always leave port 80 open and use the --standalone option in Certbot. That uses the HTTP Challenge to get a cert and only listens on port 80 for the few seconds of getting one. The rest of the time nothing would reply on port 80.
The DNS Challenge is required if you need a wildcard cert.