How to use manual auth hook script for Autorenewal

Hello
Where to find a sample or documentation about hook script (--manual-auth-hook)?

My question is about wildcard domains renewal with authentication.
Certbot decribes ...use hook script (--manual-auth-hook) as
"...
NEXT STEPS:

  • This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date."

Thanks for awesome work !

Best Regards

1 Like

Welcome to the Let's Encrypt Community.

Using a DNS provider with an existing plugin for your ACME client may be even easier than writing your own auth-hook.

It's also possible to use a CNAME to point to another zone if you don't want to move all of your DNS.

4 Likes

For DNS servers that do not support any automation the configuration looks like this:

renew_before_expiry = 15 days 
version = 2.7.4 
archive_dir = /etc/letsencrypt/archive/thisdomain.com 
cert = /etc/letsencrypt/live/thisdomain.com/cert.pem 
privkey = /etc/letsencrypt/live/thisdomain.com/privkey.pem 
chain = /etc/letsencrypt/live/thisdomain.com/chain.pem 
fullchain = /etc/letsencrypt/live/thisdomain.com/fullchain.pem 

# Options used in the renewal process 
[renewalparams] 
account = 03<snip>30 
pref_challs = dns-01, 
server = https://acme-v02.api.letsencrypt.org/directory 
authenticator = manual 
key_type = rsa

The renewal Workflow is like this:
Run the cert renew command:

# certbot certonly --cert-name thisdomain.com --server https://acme-v02.api.letsencrypt.org/directory --manual
--preferred-challenges dns -d 'thisdomain.com' -d '*.thisdomain.com'

It will tell you to create a TXT record having a long identifier string:

Please deploy a DNS TXT record under the name: 

_acme-challenge.thisdomain.com. 

with the following value: 

IqgzXGiLCDa2s6PeRIMISrVzFNpY49SP08g 

Before continuing, verify the TXT record has been deployed. Depending on the DNS 
provider, this may take some time, from a few seconds to multiple minutes. You can 
check if it has finished deploying with aid of online tools, such as the Google 
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.thisdomain.com. 
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the 
value(s) you've just added.

This session will wait patiently (up to 6 hours, I think) while you create the TXT record.
Now log into your DNS provider.
Select the desired domain
Create a new record:
Type=TXT name=_acme_challenge value= IqgzXGiLCDa2s6PeRIMISrVzFNpY49SP08g
Now start checking to see if the TXT record has “propagated”:
https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.thisdomain.com
check back every 5 minutes or so. When you see your TXT record in the googleapps window, go back to the session where you ran the certbot command and press enter.
Done.

1 Like

@m2017atTR Have you seen this section of the Certbot docs? Has examples for using that hook

https://eff-certbot.readthedocs.io/en/latest/using.html#pre-and-post-validation-hooks

But, if at all possible use one of the available plugins as @linkp noted if available for your DNS provider.

There are other ACME Clients that support even more DNS API. Something like acme.sh or lego support a large variety and are both in github ACME Client Implementations - Let's Encrypt

4 Likes

Not done at all I'm afraid. OP asked for AUTOrenewal, which is NOT possible with the completely manual steps you're currently advising (and which OP probably already knows how to do).

1 Like

You are correct. "Auto" and "Manual" do not go together.

but... My auto is manual.
[my car has a stick shift transmission]

LOL

2 Likes

Hi thank you

At this point, code at first part is configuration of what, where to find.
(Please see me as a dummy, 20+ years past last time i worked about linux servers and SDNS etc.)

TLDR;
i could get cetficate for 10+ wildcard ssl one by one and it succeeded by DNS 01 challenge.

The problem is about renewal, in first step i did not bother bc i have 3 months time period for to care. Them i am awared last notice about hook script.

I checked certbot Pre and Post Validation Hooks documetation but it assumes i am experienced/kownledged about all and everything.

1 Like

Then "write my own manual auth hook" shouldn't be something you're even considering. As both Link and Mike have recommended, use one of the existing plugins, whichever matches your DNS provider. If there isn't a plugin that matches your DNS provider, and you actually need wildcard certs, give serious thought to switching DNS providers to one that does have a plugin--Cloudflare is pretty popular.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.