How do I grant certbot privileges to make dns changes to all of my sites on my server I'm trying to automate renewals
My domain is: thekidslepthere.com
My web server is (include version):
nginx
The operating system my web server runs on is (include version):
ubuntu 20.04
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
If you do really require the dns-01 challenge and your DNS provider is not listed in both the lists above, can you perhaps find your DNS provider in the list of DNS plugins provided by the ACME client called acme.sh? See: acme.sh/dnsapi at master · acmesh-official/acme.sh · GitHub
I think I do need dns-01 challenge because some of the sites on my server have subdomains so I've been using wildcard characters in my certificate requests -d *.thekidslepthere.com -d thekidslepthere.com is how I've been doing it manually
If those conditions don't apply to you, you can't use the API, unless you mail NameCheap support and request it yourself and hope they grant you access.
An alternative is to use acme-dns, which would only need a CNAME in your NameCheap DNS zone (one time thing) to a host running acme-dns. And there is a script available for Certbot integration. See:
You actually need to create a new SECOND account, and ask Namecheap to grant that account API access for you. Use the first (registrant) account to delegate the second (api-only) account permission to modify the DNS records on select domains. Never use your actual Namecheap account for the DNS-01 Challenge
Like many other providers, Namecheap's API is not dedicated to merely DNS concerns – it gives users full control of the entire account, including the ability to transfer domains. Because the API credentials must be stored on the server for renewal, a comprise of the server will give hackers full control of your Namecheap account. By using a second account, you mitigate most risk by limiting the scope of the hackers potential harm to only your DNS records.
The acme-dns solution mitigates that risk even further, because it delegates DNS authorization to another domain that only exists for solving DNS-01 challenges.
A bit of a hassle, but they are one of the few cloud providers that offers this sort of granularity in control.
I don't know if this is still the case, but several years ago they also appeared to implement a 5 minute read-through cache on their DNS servers, without having write-through functionality from their control-panel/api. A shorter TTL did nothing, because it was an application cache independent of DNS. That required a time.sleep(301) timeout between updating a record and completing a challenge, as old records would become wedged and cause a failure. I figured that out while rewriting the namecheap support in dns-lexicon, finished that work, then migrated to acme-dns.
At the conclusion of the paragraph on using acme namecheap api it says "Now you can issue certificate" and shows you the syntax How/where are renewals gonna be automated so I don't have to keep issuing the same command
After issuing the certificate it'll always update itself automatically? I thought there was such a thing as certbot auto but it may not work with wildcard characters?
I'm not familiar with acme.sh to know that. Please check its documentation and/or check for a cronjob or systemd timer manually.
Note that acme.sh uses ZeroSSL by default.
There once existed a wrapper script called certbot-auto, but that was just a script to install Certbot and thus had the same functionality as "regular" Certbot.
If you're not familiar with it then I guess you wouldn't be able to tell me why bother with it instead of continuing to use certbot certonly --manual ...
If you installed acme.sh following its instructions, it does indeed set up a daily cron job to renew your certificate. If you gave it the correct --install-cert flags (specifically, commands to restart any relevant services after a new cert is issued), it should handle it automatically for you from here on out.