Just a small certbot script check

Help
1

Hello list,

Just a question about two shell scripts I made using Debian Trixie certbot 4.0.0. The renewal works with --dry-run AFAICS but to avoid bad surprises when running it by cron, I'd like to ask you to have a glance at it as I'm rather new to this matter:

Just the certbot part of a script to create a new domain. The script /etc/letsencrypt/scripts/manual-auth-hook.sh takes care of the DNS entries.

certbot \
  certonly \
  --manual \
  --preferred-challenges dns \
  --manual-auth-hook /etc/letsencrypt/scripts/manual-auth-hook.sh \
  -v \
  -d example.com -d *.example.com

So far no problem, this works. But I'm not quite sure about the automagic renewal invoked by the cron daemon (just the certbot part):

certbot \
  renew \
  --manual \
  --preferred-challenges dns \
  --non-interactive \
  --keep-until-expiring \
  --manual-auth-hook /etc/letsencrypt/scripts/manual-auth-hook.sh \
  -v

I want to run it twice a day and I can add some random sleep as suggested in the docs. Is this the way to go or am I still missing something crucial somewhere?

Richard.

1 Like
2

Welcome @rlucassen

The options you used when you originally got the cert are retained by Certbot in a renewal config file. They are saved per-cert in /etc/letsencrypt/renewal/

For renew, you just do certbot renew (usually as root)

And, for testing just: certbot renew --dry-run

The renew command reads all the renewal config files serially and renews certs as needed. For that it uses the same options used when getting the original.

You do not want to use options on the renew command generally. These options override the ones in the renewal config file. If you have multiple certs that is almost always a problem. Mind you, there are certain cases where that may be helpful but those are rare.

You mentioned looking at the docs but just in case you didn't see this section it helps with the cronjob syntax: User Guide — Certbot 5.5.0.dev0 documentation I don't recall offhand whether Debian apt sets up any cron or systemd timer but you should check for one that already exists.

3 Likes
3

[quote="MikeMcQ, post:2, topic:246387"]
For renew, you just do certbot renew (usually as root)
[/quote]

Ok, that is clear. I changed the script. Indeed all options are present in the renewal directory. I think I will run the first renewal manually to see if everything is ok.

BTW: I have quite a lot of domains and they're not all on the same DNS. What I did is the following: I created a subdomain "letsencrypt.example.com" and I run that subdomain on a simple separate authoritative DNS on the host (ip 1.2.3.4) where the certbot scripts run. In the master example.com zone file you put the following line to delegate the subdomain to the 1.2.3.4 nameserver:

letsencrypt  3600 IN NS 1.2.3.4

Now, for each domain you want to create certificates for, add a CNAME that points to the 1.2.3.4 nameserver that is authoritative for the letsencrypt.example.com. E.g. you want to create a cert for host.domain.tld: in the zone file of domain.tld you put;

_acme-challenge.host  3600 IN CNAME host.domain.tld.letsencrypt.example.com.

That way you have only one zone file on one nameserver for all your domains and you don't need to access all these different nameservers anymore as the CNAMEs do not change anymore:

host.domain.tld  3600  IN TXT puttheletsencryptkeyhere

You can test it:

$ host -t txt _acme-challenge.host.domain.tld
_acme-challenge.host.domain.tld is an alias for host.domain.tld.letsencrypt.example.com.
host.domain.tld.letsencrypt.example.com descriptive text "puttheletsencryptkeyhere"

In the manual-auth-hook script the CERTBOT_DOMAIN and CERTBOT_VALIDATION variables can be used to automagically add lines to the zone file.

Just my 2 cts :slight_smile:

Richard

1 Like
4

Yes, CNAME or NS delegation is a common way to handle large scale DNS Challenges. I still think you are better off not specifying extra options with the renew command. Some day you might have some certs that are done differently than the rest.

Have you seen the info about DNS-PERSIST-01 yet? Might simplify matters although not yet in production (just LE Staging). See: DNS-PERSIST-01: A New Model for DNS-based Challenge Validation - Let's Encrypt

Latest draft RFC: draft-ietf-acme-dns-persist-01 - Automated Certificate Management Environment (ACME) Challenge for Persistent DNS TXT Record Validation

You say you "have quite a lot of domains". If by that you mean hundreds many of us here would not have suggested Certbot. It's performance as you scale up isn't the best. If you mean a couple/few dozens that's easy enough. There is not a hard limit and some people with large numbers are satisfied so ...

3 Likes
5

Don't you worry! I already removed the options! (only "certbot renew")

And at the moment I have about 40 domains, but as the Comodo/Sectigo 5 year subscriptions will expire next year, the number will be bigger. And as I'm quite newbie to LE I haven't read all the documents yet. I will have a look at it!

And it works well now, but not when you have thousands of domains :slight_smile:

I cannot find an option to edit posted messages BTW...

Richard

Thnx!

R.

2 Likes
6

Looks good! And the production version will be available in 2026/Q2. I will try with a test domain using DNS-PERSIST-01, it makes life easier :slight_smile:

Thnx for your time to help this newbie find his way!

Richard.

1 Like