I ran certbot-auto with a DNS challenge and it claimed to produce my keys. However, I only found one .pem file. Can someone kindly direct me to where the keys are kept on a Raspberry Pi running Buster?
Also, can I automate the renewal of a DNS challenge? Thank you for any/all attention.
-Steve-
Yes, depending on who your DNS host is. They need to provide a programmatic interface to deploy TXT records. Certbot has some built-in providers, other ACME clients like acme.sh support dozens.
/etc/letsencrypt/live/example.com/privkey.pem is your certificate private key/etc/letsencrypt/live/example.com/fullchain.pem is your certificate (chain)Thank you. My provider is NoIP. I’ll have to find out.
I talked to NoIP and they do not support any automation for the dns challenge. Again, thank you for your help.
There is a popular workaround in this case. Someone should write a guide for this but perhaps we’ve been reluctant to do it in order to avoid seeming to recommend an individual DNS provider!
You can create a CNAME record for _acme-challenge in your DNS zone (which is a static record that doesn’t require any automation support) pointing to _acme-challenge in a different DNS zone hosted by a different provider. This could even be a subdomain of your regular domain.
Cloudflare is the most popular for this because of their free DNS hosting and API, but I assume that there are other options. You can see a number of other discussions of this at
https://community.letsencrypt.org/search?q=cloudflare%20api%20cname
Thank you. I will look at Cloudflare.
You may also want to use acme.sh for its DNS alias mode.
If I used manual in creating the cert am I condemned to use it again and again to renew? I just looked at acme.sh and possibly that could help. I guess I could let this cert expire and create a new one. BTW - my exact command was - certbot -d domainname —manual —preferred-challenges dns certonly. What should I have used to leave the automation option open?
Yes, but if you run it again with an automation option (an authentication hook script) or run again with a DNS authenticator plugin instead of --manual, it will change the renewal configuration. You have to use --manual again and again to renew unless you actively change it to a different method.
Thank you sir. I will try to get it to work as you have instructed.
I took a close look at acme.sh … it appears I can simply have one domain dedicated to validation and add a CNAME record to all other domains pointing to the alias.
So, no API is needed from the provider or special intervention from me - outside of a cron job to renew using acme. Not sure of how the mechanics of this work to actually change the TXT record - or is that not done since it’s an alias? Anyway, could you verify that what I understand is correct?
I believe that’s correct, but the domain dedicated to validation does need to be hosted on a provider with an API, and acme.sh does need to know your credentials for that API. That is then where the TXT records actually get changed. Let’s Encrypt is willing to follow the CNAME, which is effectively delegating the power to get certificates for one domain to the DNS zone of another domain.
The domain dedicated to validation can be a subdomain of one of your existing domains, or it can be a completely separate, unrelated domain.
Then I am stuck with no good workaround. I went to Cloudflare but it seems they want my existing Domains with NoIP. I very much appreciate your patience. I’ll give Cloudflare a go one more time to see if I can get around them wanting my Domains.
Do you have your own domain name, or are you using one of the domains provided by no-ip.com like ddns.net?
In the latter case, I don’t think it’s possible to CNAME the _acme-challenge subdomain at all. I just tried it, and it complained both about it being too long, and an underscore causing it to be invalid.
If it’s your own domain, I was going to suggest you setup the CNAME to the acme-dns service.
e.g. Register an acme-dns account:
$ curl -X POST https://auth.acme-dns.io/register
{"username":"ab775181-4191-485b-9419-5e998979633d","password":"kGvC8JQrsIRHKDxZBYsMdsb1bRpRlJIH6TR1xeaN","fulldomain":"c8161d12-93e6-4f50-8231-03739a05f5b3.auth.acme-dns.io","subdomain":"c8161d12-93e6-4f50-8231-03739a05f5b3","allowfrom":[]}
Then setup _acme-challenge.example.com as a CNAME of fulldomain from the above (in my case, c8161d12-93e6-4f50-8231-03739a05f5b3.auth.acme-dns.io).
Then follow along with https://github.com/Neilpang/acme.sh/wiki/dnsapi#45-use-acme-dns-api for autorenewing certificates.
It avoids having to acquire a second domain to put on e.g. Cloudflare. (But has the downside of trusting the operator of acme-dns.io).
I have my own domain name and a couple of free ones from NoIP. What you stated about them is true on both counts. I will look into your suggestion and call it a day. I learned quite a bit, going through this endeavor, from you. You are very generous with your time.
_az –
Did I do this correctly for acme.sh?
I put a dns name on cloudflare of markresidence.com The cname record of markresidence.com has a name of lucra-llc.com and content of markresidence.com. What I hope I did was make markresidence.com the validation domain for lucra-llc.com
and all it’s subdomains. Thank you for your help.
To do this, you would need to do create a CNAME like this:
_acme-challenge.lucra-llc.com. 360 IN CNAME _acme-challenge.markresidence.com.
and then issue a certificate via Cloudflare using alias mode:
acme.sh --issue -d "lucra-llc.com" -d "*.lucra-llc.com" \
--challenge-alias markresidence.com --dns dns_cf
But I'm not sure whether no-ip will let you create that first CNAME.
You might be better off just moving all of your domain DNS hosting to Cloudflare, it is less complicated.
AZ …
Can you look at this with me using Team Viewer? If not I feel I need to abandon this because I’m clearly not understanding it well.
So for the CNAME record of markresidence.com the NAME field would be
` _filled in with acme-challenge.lucra-llc.com and the CONTENT field of the CNAME record would be filled in with _acme-challenge.markresidence.com? I could pull lucra-llc.com over to Cloudflare.
I would just need to change the name servers on NoIP only. Then will it work inclusive of the subdomains of lucra-lcc.com?```
``
``
``
I can't TeamViewer with you, sorry.
The CNAME Name would be _acme-challenge and the CNAME Content would be _acme-challenge.markresidence.com.
Regarding subdomains, it depends.
Generally you need to add one such CNAME for every subdomain.
But if all of your subdomains are on the first level (e.g. a.lucra-llc.com, b.lucra-llc.com, but not c.d.lucra-llc.com), you can just use a single CNAME to produce a wildcard certificate, as with the example I posted earlier.