Moving wildcard manual domains from docker and setup autorenew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vicimus.me

I ran this command: certbot certonly --manual --manual-auth-hook ‘/data/prod/acme-dns/acme-dns-certbot-hook -config /data/prod/nginx/certbot/vicimus-me.json’ --preferred-challenges dns -d *.vicimus.me

It produced this output: To be honest I tried so many things I don’t even know what direction to go in now.
I have 2 web servers on aws that point to a /data drive on glusterFS where I load my webcontent. Originally I had certbot running in docker but now I would like to have it run on a standalone machine where the certs will be able to auto renew.

I spent a few days trying to get acme-dns to work because I read that godaddy does not have a dns pluggin and my employer has many domains there. At this point I would like to resolve in the easiest way possible.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 18

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Hi,

Since you mentioned GoDaddy DNS, you could try to use GoDaddy DNS API (if you have access to it) and use manual auth hook to update DNS records.

Here’s a tutorial from search engine that might help you archieve the need (Since i don’t have a GoDaddy registered domain, i’m not sure if that’ll work or not):

Also, the domain you are using is using route53 as DNS hosting, you could use https://github.com/certbot/certbot/tree/master/certbot-dns-route53 to manage records and complete validations.

P.S. You could use CNAME records to CNAME _acme-challenge.domain.tld to a domain that you could automate. (For example, CNAME _acme-challenge.domain.com to dm-acme.vicimus.me and add TXT records to dm-acme.vicimus.me)

Thank you

I am exploring both of these options. Thank you.

Also will I need to change the configs for the certs to support auto renewal?
If so, do you know of any documentation that provides a walk-thru?

If your scripts (the auth-hook and clean-up hook) are specified, and you've set the server to autoreload when renewal is done, you are fine.

Thank you

where can I find an example of a --manual-auth script to work with the dns challenge. I seen one that was written for the webroot option. I tried to modify but not sucessful.

Thank you

I am giving the dns-route53 a test and pointing to the current config folder. I was wondering if any of the following in my cert-domain.conf needs to be changed? I already have an account from doing the process manually when it was setup with docker. Should I dis-regard the account info and just try to get a new cert… what is the recommended way?

renew_before_expiry = 30 days

version = 0.29.1
archive_dir = /data/prod/nginx/letsencrypt/archive/example.com
cert = /data/prod/nginx/letsencrypt/live/example.com/cert.pem
privkey = /data/prod/nginx/letsencrypt/live/example.com/privkey.pem
chain = /data/prod/nginx/letsencrypt/live/example.com/chain.pem
fullchain = /data/prod/nginx/letsencrypt/live/example.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

certbot renew --dns-route53 --config-dir /data/prod/nginx/letsencrypt/

I’m still not sure what to do in a nutshell.

Thanks

Hi @wjansson

if you use dns-route53, you shouldn't need an additional --manual-auth script. dns-route53 should do that.

I have some domains with route53 and others with godaddy

I am using one domain with route53 for testing

If you want to try the GoDaddy DNS script, please see response #4.

You might need to modify the script to comply with the latest GoDaddy DNS API (it might also working fine however)

Thank you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.