Fully automating certbot

Certbot version: certbot 0.27.0

Hi, I would like to automate certificate renewal completely. The DNS challenge needs to be sent to Gandi.net, and the other challenge needs to be put into a text file with a certain path.

Is that possible with certbot?

This is the command I currently use:

certbot certonly --manual --manual-public-ip-logging-ok -d *.botcompany.de,botcompany.de

It’s almost automated, but I still have to do the DNS entry and the text file modification myself. I want the machine to do that for me.

Hope I made the question clear…

Thanks

Hi @stefan-reich

if I know it correct, Certbot doesn't support such a mixed validation. So if you want to create a wildcard with the main domain, you have to use only dns validation.

May be acme.sh is a better solution.

They support the DNS API of gandi.net.

Hi Jürgen, thanks, I’ll look into it!

It does. You can do DNS for wildcard and HTTP for straight domain. At least in my acme implementation it's possible. Cannot speak to certbot. Can't imagine why it would be precluded.

edit: I didn't see your whole post. You would definitely know better than I about certbot's restrictions. I concur that acme.sh can though.

Letsencrypt supports that. My own client uses that with the wildcard of server-daten.de - *.server-daten.de via DNS, the server-daten.de via http. So I know it is possible because I use it.

But the client must support that. My last information - Certbot doesn't.

You are mixing the client with the server.

PS:

https://certbot.eff.org/docs/using.html

has no option to declare different challenge types per domain name in one command.

Makes sense about certbot. That's the big limitation I find with automated, terminal clients. You either have to specify everything up front or put them in "manual" mode and make decisions from the terminal as you go. I personally much prefer a simple web page form for presenting information and making configuration choices.

Ah. So that is your domain. I ran your check on my cloakanddagger.com domain earlier today. That's thorough! Definitely shows GoDaddy's ugliness.

Not sure what you mean here.

I have successfully used GitHub - obynio/certbot-plugin-gandi: Certbot plugin for authentication using Gandi LiveDNS in the past.

I found something very curious in another thread I've been working on. It is a debug output of certbot performing both a DNS and HTTP challenge successfully.

I think if you indicate --preferred-challenges http,dns then you might get that result when requesting a mixed wildcard and non-wildcard certificate.

Makes sense. @JuergenAuer and I were just having a discussion about this here the other day and I happened to wander into a perfect case. Something seems kinda fishy on that thread about what the OP was doing though. He wrote that he was using the following command yet his first output clearly shows the staging environment. His first command indicates a preference for DNS and yet fails, apparently because of not having a DNS challenge available. Perhaps his actual commands are vastly different than what he stated?

certbot certonly --preferred-challenges=dns-01 --manual --manual-auth-hook myauthenticate.sh --manual-cleanup-hook mycleanup.sh -d ‘*.mydomain.com,mydomain.com’ --manual-public-ip-logging-ok

Yes, it looks that way to me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.