How can I automate this man?

Hello. I have this man: https://github.com/gitpel/letsencrypt-routeros

After this command:

source /opt/letsencrypt-routeros/letsencrypt-routeros.settings certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok

./opt/letsencrypt-routeros/letsencrypt-routeros.sh

I got new certificate in my router.

I added this to the scheduler:

0 6 30 * * /opt/letsencrypt-routeros/letsencrypt-routeros.sh

But this command adds the old expired certificate

After this command:

certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok

Letsecrypt want new DNS TXT record. Ok, I added it, got a new certificate and it appeared in the router, but I don't want to add a new entry DNS TXT record every 3 months. I want to do it once and forget about it

Can you help me understand the scripts of this system to suggest what I should add to the scheduler to automatically reissue and import the certificate into the router?

1 Like

Well, automation is the way Let's Encrypt is designed to be used, so you're definitely asking the right questions.

In order to automate the certificate, you need to automate one of the ways that Let's Encrypt validates that you own the domain name:

For using a DNS challenge like you're using now (which is especially handy for things not publicly accessible or if you're running it on a different server than the one the certificate is being installed on), you need to automate updating the DNS TXT record. Certbot has several plugins available for many popular DNS providers:

If it's not something that there's a plugin for already, but you're handy with shell scripting and can write your own automation of it, you can add scripts for the "manual" mode to run your own scripts. But that's getting ahead of ourselves, and probably not what you need to do. If you say what DNS provider you're using, someone here may be able to give you more specific guidance.

The other option, if the system has port 80 accessible to the Internet and can run certbot itself, is using a HTTP challenge. I'm not personally familiar with Mikrotik/RouterOS, but if there's already a web server you can probably use one of Certbot's plugins for that server or the webroot plugin. If not, you may be able to use the standalone setup where certbot spins up its own mini web server just for answering the authentication challenge.

(The other other option, if port 80 isn't accessible to the outside world but port 443 is, would be to use the TLS-ALPN-01 challenge. This isn't supported by certbot last I checked, though, so you'd need to switch to a different client if you wanted to go that route.)

Is that the kind of information you were looking for?

4 Likes