How do I grant certbot privileges to make dns changes to all of my sites on my server

fugee · June 3, 2022, 1:51pm

How do I grant certbot privileges to make dns changes to all of my sites on my server I'm trying to automate renewals

My domain is:
thekidslepthere.com
My web server is (include version):
nginx
The operating system my web server runs on is (include version):
ubuntu 20.04
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Osiris · June 3, 2022, 2:08pm

A few things are important I think:

Do you really require the dns-01 challenge? Why wouldn't the http-01 be enough?
If you really do require the dns-01 challenge, is your DNS provider listed in the list of available Certbot DNS plugins? See: User Guide — Certbot 1.27.0 documentation: DNS Plugins
If you do really require the dns-01 challenge and your DNS provider is not listed in the DNS plugin list above, is it maybe listed in the third-party plugin list? See: User Guide — Certbot 1.27.0 documentation: Third-party plugins
If you do really require the dns-01 challenge and your DNS provider is not listed in both the lists above, can you perhaps find your DNS provider in the list of DNS plugins provided by the ACME client called acme.sh? See: acme.sh/dnsapi at master · acmesh-official/acme.sh · GitHub

fugee · June 3, 2022, 2:31pm

I think I do need dns-01 challenge because some of the sites on my server have subdomains so I've been using wildcard characters in my certificate requests -d *.thekidslepthere.com -d thekidslepthere.com is how I've been doing it manually

Osiris · June 3, 2022, 2:46pm

For a wildcard certificate you indeed require the dns-01 challenge.

By the way, is your DNS provider NameCheap by any chance? From the authorative DNS servers for your domain and some Google-ing it does suggests so.

Because the NameCheap API is only available for customers with certain conditions (see https://www.namecheap.com/support/knowledgebase/article.aspx/9739/63/api-faq/):

have at least 20 domains under your account;
have at least $50 on your account balance;
have at least $50 spent within the last 2 years.

If those conditions don't apply to you, you can't use the API, unless you mail NameCheap support and request it yourself and hope they grant you access.

An alternative is to use acme-dns, which would only need a CNAME in your NameCheap DNS zone (one time thing) to a host running acme-dns. And there is a script available for Certbot integration. See:

GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. and GitHub - acme-dns/acme-dns-client: A client software for https://github.com/joohoi/acme-dns

rg305 · June 3, 2022, 3:17pm

thekidslepthere.com     nameserver = dns1.registrar-servers.com
thekidslepthere.com     nameserver = dns2.registrar-servers.com

I always thought that was like a white-label service from GoDaddy.

Osiris · June 3, 2022, 3:58pm

Those nameservers are listed here: https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-to-change-dns-for-a-domain/

jvanasco · June 3, 2022, 4:25pm

I HIGHLY recommend using acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) to handle the DNS-01 challenge to avoid many security issues. If you must use Namecheap for this...

You actually need to create a new SECOND account, and ask Namecheap to grant that account API access for you. Use the first (registrant) account to delegate the second (api-only) account permission to modify the DNS records on select domains. Never use your actual Namecheap account for the DNS-01 Challenge

Like many other providers, Namecheap's API is not dedicated to merely DNS concerns – it gives users full control of the entire account, including the ability to transfer domains. Because the API credentials must be stored on the server for renewal, a comprise of the server will give hackers full control of your Namecheap account. By using a second account, you mitigate most risk by limiting the scope of the hackers potential harm to only your DNS records.

The acme-dns solution mitigates that risk even further, because it delegates DNS authorization to another domain that only exists for solving DNS-01 challenges.

Osiris · June 3, 2022, 4:50pm

Sounds like a hassle. Probably not a good idea to use the NameCheap API and just go for acme-dns.

jvanasco · June 3, 2022, 5:07pm

A bit of a hassle, but they are one of the few cloud providers that offers this sort of granularity in control.

I don't know if this is still the case, but several years ago they also appeared to implement a 5 minute read-through cache on their DNS servers, without having write-through functionality from their control-panel/api. A shorter TTL did nothing, because it was an application cache independent of DNS. That required a time.sleep(301) timeout between updating a record and completing a challenge, as old records would become wedged and cause a failure. I figured that out while rewriting the namecheap support in dns-lexicon, finished that work, then migrated to acme-dns.

fugee · June 3, 2022, 5:16pm

At the conclusion of the paragraph on using acme namecheap api it says "Now you can issue certificate" and shows you the syntax How/where are renewals gonna be automated so I don't have to keep issuing the same command

Osiris · June 3, 2022, 5:34pm

Which document are talking of exactly?

fugee · June 3, 2022, 5:36pm

Osiris · June 3, 2022, 5:41pm

Ah, well, if acme.sh works for you with the NameCheap API: good for you

fugee · June 3, 2022, 5:42pm

After issuing the certificate it'll always update itself automatically? I thought there was such a thing as certbot auto but it may not work with wildcard characters?

Osiris · June 3, 2022, 6:48pm

I'm not familiar with acme.sh to know that. Please check its documentation and/or check for a cronjob or systemd timer manually.

Note that acme.sh uses ZeroSSL by default.

There once existed a wrapper script called certbot-auto, but that was just a script to install Certbot and thus had the same functionality as "regular" Certbot.

fugee · June 3, 2022, 6:51pm

If you're not familiar with it then I guess you wouldn't be able to tell me why bother with it instead of continuing to use certbot certonly --manual ...

Osiris · June 3, 2022, 6:58pm

Because automation is always better than doing stuff manual.

Also, others here on the Community might know.

danb35 · June 3, 2022, 10:15pm

If you installed acme.sh following its instructions, it does indeed set up a daily cron job to renew your certificate. If you gave it the correct --install-cert flags (specifically, commands to restart any relevant services after a new cert is issued), it should handle it automatically for you from here on out.

fugee · June 4, 2022, 9:27am

All my domains use dynamic dns Does acme-dns offer dynamic dns?

9peppe · June 4, 2022, 9:35am

You do realize you can ask for a certificate including individual subdomains, if you don't need all of them, do you?

certbot [your options] -d example.com -d blog.example.com -d wiki.example.com -d somethingelse.example.com [...]

up to 100 names per certificate.