Followed the info but got an error

I have to write a script, that will mess with my DNS zone every 90 days, and there are not even official good practice howtos to do it on the simplest setup possible - a local named server, API keys seem to be only available for big hosting providers. I thought you do this nonsense just once.

I think I will just buy a wildcard cert, then I have to deal with every 2 years not every 90 days and I don't have to have a bunch of superuser ran software or scripts.

This is quite disappointing experience.

1 Like

I know it's not ideal. The short certificate lifetime makes manual action tedious. I'll try to tag in someone who has creative ways of working with organizations and entities with specific requirements. I'm not sure if he's around right now, but hopefully he'll see this soon.


Any thoughts here?


Thanks, because we would like to keep our systems as simple as possible, and renewing 300 user subdomains separately is not an option to us. Not to mention that it is quite a requirement for us to keep all the scripts and daemons in check as we have local users on our systems.


I think the colleague I tagged is exactly the right person to help with this. Since most of us are volunteers here, I don't know if/when he'll be around. He contributes here quite frequently though, so I have good hope. Someone else might come around in the meantime though. I'm not the best expert yet in these scenarios. :pensive:


It is okay, thank you.


How did this work on the previous issuance/renewal?


I did manually, including editing my zone file.


Then you should be able to redo those steps now and get your site secure now.
Once that is fixed, then you will have 90 days to figure out how to automate this.
It is not rocket science - millions of people have done it; and we are here to help you with that.

But I would deal with the real problem first.


@platyna You can also use the certbot-dns-rfc2136 plugin which is just like the nsupdate command.

I also run my own BIND and have used the certbot-dns-rfc2136 plugin without any trouble.

That being said, I do want to add a little bit about your behaviour in this thread. My fellow volunteers are trying to help you in their spare time and reacting with comments like "I don't care if it is interactive or not, I just want it to renew and it doesn't work." aren't helpful. It also seems to indicate a certain lack of knowledge about how Let's Encrypt actually works and how certbot actually works.

And your remark "but giving me link to the list of command line options for certbot (which is not even a version I am using) is not really helpful" suggests you require a spoon-fed solution. However, I'd like to remind you again that, like almost everyone on this Community, @griffin and @rg305 (and me for that matter) are unpaid volunteers just trying to help. So if someone suggests to read command line options (with already having suggested the required two command line options earlier!) I think it would be fit to reply with that in mind. The proper reply would be something like "Thanks, I'll take a look into that!". Now, it feels very, very ungrateful.


Thank you for your suggestion about the plugin.

Please do not post off-topic ad personam trips, I do not appreciate them and I don't want to read them, especially in technical issue threads. Thank you.

It's not intended as an ad hominem, just saying you can catch more flies with honey than with vinegar. For example, your statement just now makes me ignore this thread from now on, even if you might have questions or troubles about the aformentioned plugin. That's all on you :slight_smile: I'm not a help desk employee required to help you, it's my personal choice to help you or not. And I choose not to from now on. Best of luck to you.


I feel so included in that [snippet of a] sentence.
It truly says it all about this entire topic conversation.
And with that, I also say "Good Day to You".


I do not force anyone to reply to my technical issues. Please stop this, this very uncomfortable for me, I prefer to speak about technical issues not feelings or personal issues.

If I am not welcome I may leave. I just need an instruction how to delete my account, because I do not see an option in my profile to so do.

You have it all backwards.
We are the ones not feeling welcomed and we are leaving this topic.
There may be others that will come around to help you - don't give up so quickly.


You can participate or not, no need to inform me about it, and I still have no idea how is that banana picture related to wildcard certificate renewal.

It's not; That's just a "paid political advertisement" - LOL


1 Like

I have no idea how it is going to be helpful in this case...

Hi Everyone,

This topic is getting a little bit away from the original request. Please remember to follow our Comunity Guidelines while interacting with each other on the forum.

Specifically keep in mind:

Our Standards

Examples of behavior that contributes to a positive environment for our community include:

  • Demonstrating empathy and kindness toward other people
  • Being respectful of differing opinions, viewpoints, and experiences
  • Giving and gracefully accepting constructive feedback
  • Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
  • Focusing on what is best not just for us as individuals, but for the overall community

A post was split to a new topic: Instructions for renewing ACME wildcard certificates

@platyna, the big challenges for this situation are:

(1) By its policy, the Let's Encrypt CA requires you to use (only) the DNS challenge method for wildcard certificates.

(2) By industry policy, the specific token that you have to post for the DNS challenge will have to be different every time.

That means that you need some way to post new token values in DNS automatically, if you want to use Let's Encrypt and get automated renewals of wildcard certificates. You could also give up on any one of these three things (don't use wildcard certificates, don't use automated renewals, or don't use Let's Encrypt).

I think the rfc2136 method that @Osiris mentioned before is the closest "intended" or "official" way to do automated wildcard certificate renewals with Certbot when you run your own BIND.

If you don't want to make changes to your DNS zones at all, there is one other option: since the challenge validation follows CNAME records, you could also make be a CNAME pointing to _acme-challenge in some other domain (it doesn't have to be a subdomain of your domain, and doesn't have to be hosted on the nameserver). In that case, you can update the DNS records elsewhere, on some other DNS server, over that other server's API, and that will be considered valid proof of control for your wildcard renewal. This still requires some configuration work because you still have to configure the Certbot plugin (and find a way to get a DNS zone hosted somewhere else with an API for zone updates), but in that case it wouldn't have to be updates to your own servers, services, or zone files that get made as part of the validation process.