How do I grant certbot privileges to make dns changes to all of my sites on my server I'm trying to automate renewals
My domain is: thekidslepthere.com
My web server is (include version):
The operating system my web server runs on is (include version):
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I think I do need dns-01 challenge because some of the sites on my server have subdomains so I've been using wildcard characters in my certificate requests -d *.thekidslepthere.com -d thekidslepthere.com is how I've been doing it manually
You actually need to create a new SECOND account, and ask Namecheap to grant that account API access for you. Use the first (registrant) account to delegate the second (api-only) account permission to modify the DNS records on select domains. Never use your actual Namecheap account for the DNS-01 Challenge
Like many other providers, Namecheap's API is not dedicated to merely DNS concerns – it gives users full control of the entire account, including the ability to transfer domains. Because the API credentials must be stored on the server for renewal, a comprise of the server will give hackers full control of your Namecheap account. By using a second account, you mitigate most risk by limiting the scope of the hackers potential harm to only your DNS records.
The acme-dns solution mitigates that risk even further, because it delegates DNS authorization to another domain that only exists for solving DNS-01 challenges.
A bit of a hassle, but they are one of the few cloud providers that offers this sort of granularity in control.
I don't know if this is still the case, but several years ago they also appeared to implement a 5 minute read-through cache on their DNS servers, without having write-through functionality from their control-panel/api. A shorter TTL did nothing, because it was an application cache independent of DNS. That required a time.sleep(301) timeout between updating a record and completing a challenge, as old records would become wedged and cause a failure. I figured that out while rewriting the namecheap support in dns-lexicon, finished that work, then migrated to acme-dns.
At the conclusion of the paragraph on using acme namecheap api it says "Now you can issue certificate" and shows you the syntax How/where are renewals gonna be automated so I don't have to keep issuing the same command
If you installed acme.sh following its instructions, it does indeed set up a daily cron job to renew your certificate. If you gave it the correct --install-cert flags (specifically, commands to restart any relevant services after a new cert is issued), it should handle it automatically for you from here on out.