Let's Encrypt TXT ACME and renewal

Have created a certificate like this

sudo certbot certonly --manual --preferred-challenges dns -d subdomain.domain.com
openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out certificate.pfx

It sais it's valid for a few months, how does the renewal work?
And I think I did something wrong, I removed the TXT record and I don't think it was supposed to :smiley:

Is there any way to automatically be renewed?

Thank you!

// The certificate is used in Microsoft PowerPages.

do make it autometically renewed with dns challange you'd need to give api key to your DNS provider to certbot, and let it edit DNS record

1 Like

Hi @nekakyjot, and welcome to the LE community forum :slight_smile:

Certbot should be configured [via cron type job] to renew all certs that it manages.
You can see which certs certbot is managing with:
certbot certificates

You can review cron and systemd timers to ensure certbot is configured to renew.

That said, without added instruction, a certbot renewal will only renew the cert.
All other steps will then need to be repeated:

  • create .pfx file from latest cert
  • import .pfx file into Windows
  • ensure PowerPages is using the latest certificate

With that said, and not knowing exactly what system you are using, nor what PowerPages is...
I would recommend that you look into using a [proper] Windows based ACME client.
Like: Posh-ACME or CertifyTheWeb

EDIT: Note: If there is a plugin that works with DSP, then that is the simplest way to automate this.
Instead of doing it:

1 Like

Thing is the certificate I got I manually uploaded to PowerPages, so I guess each renew will need to be uploaded again?
Since it's in PowerApps, I can't run certbot there, or I can run it on another server?

If you are using DNS challenge, you can run that from anywhere on the Internet.

1 Like

I see.
Power Pages is a platform, it's in the cloud.

For now, on my local machine I have cert.pem chain.pem fullchain.pem privkey.pem in /etc/letsencrypt.

In 3 months time do I run again sudo certbot certonly --manual --preferred-challenges dns -d domain.com?

It will give me a new TXT record to add right?

Thing is today when generating I did some mistakes, and I run it 5 times, just the first time it told me the TXT acme, after that it did not, it just generated the files again I guess.

1 Like

Yes.
OR

Who is your DNS Service Provider [DSP]?

2 Likes

LE saw the same account asking for a cert on a name it had already [recently] authenticated it for.
So, LE did not require reauthentication.
[that will NOT happen beyond 30 days]

2 Likes

It's called dandomain.dk.
Let's say they have a plugin, won't I need to manually upload the cert into the PowerPages? Or the DNS TXT record will make it so there is not need to upload the file in the PowerPages admin panel?

You do need to create a complete automation process.
Automating the cert renewals is only part of that.
Updating PowerPages is another part - but I'm confident that there must be ways to automate that as well.

I'm not familiar with:

Maybe you can check through their website OR speak/email with one of them to see if they support DNS automation.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.