How to renew wildcard certificate?

Help
1

Hi,
I have got my wildcard certificate following this link how-to-issue-acmev2-wildcard-with-certbot, then I tried to test the renew before I write commands into crontab,
certbot-auto renew --dry-run
It shows error “An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively”, following the link, I think I should do something like this: certbot certonly --manual -d ‘relationmonitor.dk,*.relationmonitor.dk’. But the output is saying “Cert not yet due for renewal” then ask if you want to keep the current one or renew/replace it.

So, if I put this command into crontab, it looks like this command will be pending there for ever without interaction. I wonder if this is correct way to renew wildcard certificate?

Thanks

2

Manually issued certificates can't renew automatically.

If you recall to how you issued that certificate, you would have created some TXT records and placed them in your DNS.

This procedure has to be repeated every time your certificate needs to be renewed. Certbot cannot do this without input from you, which is why a cronjob won't work.

At the end of the day, if you want automatically renewing wildcard certificates, you're going to need to pick a DNS hosting and ACME client combination that supports this workflow.

Certbot doesn't support "Unoeuro" (your DNS host), but acme.sh is an alternative that does. Please read here: dnsapi · acmesh-official/acme.sh Wiki · GitHub

3

Hi @ajee

your configuration looks inconsistent.

You have two different certificates - one wildcard and one certificate with three domain names ( https://check-your-website.server-daten.de/?q=relationmonitor.dk#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-05-28 2019-08-26 relationmonitor.com, relationmonitor.dk, www.relationmonitor.com - 3 entries
Let's Encrypt Authority X3 2019-05-26 2019-08-24 *.relationmonitor.dk, relationmonitor.dk - 2 entries
Let's Encrypt Authority X3 2019-05-26 2019-08-24 *.relationmonitor.dk, relationmonitor.dk - 2 entries

And your non-www uses the newest certificate (57 days valid).

But your www-version uses the wrong certificate:

CN=*.unoeuro.com, OU=PositiveSSL Wildcard, 
OU=Domain Control Validated
	06.02.2019
	06.02.2021
expires in 587 days	
*.unoeuro.com, unoeuro.com - 2 entries

so it's not secure.

So you don't use the wildcard certificate.

Fix your www version, then you can delete the wildcard certificate (you don't need it), then you don't have a problem renewing your wildcard.

What says

apachectl -T
4

Hi,

I am sorry that I just cite the commands from reference page, so relationmonitor.dk is not my domain. My domain is cloudgav.com.

My understanding so far:

For wildcard certificates, we could do that ONLY by "certbot -manual -server ..." with DNS TXT record set by hand, but according to _az said, with "manual" the certificates could not be renewed automatically. So we should rely on external tools like dnsapi · acmesh-official/acme.sh Wiki · GitHub (but this is more like re-issue than renew).

Am I correct? I wonder why we could not make wildcard more intelligently, is there any technique difficulty or certificate requirement? How could I do this more seamlessly?

Thanks

5

That's

wrong. There are a lot of dns providers with an API. Certbot and other clients has API support.

[Edit] So it's possible to create wildcard certificates with full automation.

And checking your domain

you have created 4 wildcard certificates today ( https://check-your-website.server-daten.de/?q=cloudgav.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-06-30 2019-09-28 *.cloudgav.com, cloudgav.com - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-06-30 2019-09-28 *.cloudgav.com - 1 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-06-30 2019-09-28 *.cloudgav.com - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-06-30 2019-09-28 *.cloudgav.com - 1 entries duplicate nr. 1

All manual?

The newest certificate is correct, it has the main domain and the wildcard version.

6

Yes, all the certs got are issued with “-manual” because I just tried how to renew.

Then, I would try to survey how to combine DNS provider API (@_az has given the link, thanks) and certbot to have my goal done.

Just curious, I want to know this:
It seems non-wildcard like www.cloudgav.com could be issued/renewed easily without my touching with DNS record. Is there any technique difficulty or certificate requirement for wildcard to go in this way?
[edit] At least make the renewal more easily for wildcard since we have proven the ownership for this domain.

Thanks

7

Your nameserver is ns23.domaincontrol.com, looks like GoDaddy.

There

https://certbot.eff.org/docs/using.html

I don't see a Certbot support.

But acme.sh supports that.

Use GoDaddy.com domain API to automatically issue cert

8

Nope, Let's Encrypt policy doesn't permit an easier wildcard issuance based on control of the base domain.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.