NameCheap DNS alternative for self hosted web site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.hbuus.com

I ran this command:
certbot certonly --manual --preferred-challenges dns-01 -d 'hbuus.com' -d '*.hbuus.com'
--server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
I use the above to manually create new certificates every < 90 days. It works just fine. That's not my problem.

My web server is (include version): Apache/2.4.65 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I have been using letsencrypt certificates for years on my self hosted web and email server. My server hosts an IMAP server, but not a SMTP server, as well as a web server. I use Gmail's SMTP servers to send email. Both web and IMAP servers use the same letsencrypt certificate. Does what I need.

My problem is: I have been manually updating my certificate every < 90 days all this time. Why? Because my domain registrar and DNS provider is Namecheap and Namecheap is not friendly to automatic certificate updates. Is that still true?

I've also been updating certs remotely for a family member's domain who is not so technically inclined. I've been trying to teach them how to update the certs manually, but they would be relived if they didn't have to do all the command line stuff involved with manually updating certs.

Now that letsencrypt certs will start expiring in 45 days, I think it's time to find a way to automatically update our certificates. I assume that means changing my DNS provider, and maybe my domain registrar. My concern is finding an alternative that does mail forwarding of any mail sent to *@hbuus.com to my personal gmail account, while also allowing mail.hbuus.com to point to the same IP address that hbuus.com points to. It should also be relatively easy to update my IP address with bash script.

Namecheap supports these things. Does Cloudflare provide comparable support with their free DNS service? Or should I look at another DNS service?

I'm fine with transferring domain registration if it gets me to a DNS service that meets my needs and keep costs in line with what I'm paying Namecheap today.

Thanks in advance.

Why not use https://challenges.addr.tools by https://addr.tools

Because that would mean some random unknown third party has full control over your challenge? Not the wisest.

Self hosted acme-dns would be better.

For self hosting getting a cheap IPv6 only VPS is also a good idea.

Is a wildcard cert necessary? Because generally an HTTP (or TLS-ALPN) challenge is easier to automate. That challenge does not allow wildcard but with proper planning can usually work out.

In your case, I'd suggest looking at Apache's mod_md for your ACME Client. You just add a few lines of config into your Apache config and mod_md takes care of getting and renewing your certs. It supports all the challenge types and you may even want to use its TLS-ALPN support. That is like an HTTP challenge but uses port 443 rather than port 80.

You can even get a cert with an "extra" name such as for a mail server. See: GitHub - icing/mod_md: Let's Encrypt (ACME) in Apache httpd

Apache's mod_md docs: mod_md - Apache HTTP Server Version 2.4

The github I linked above for mod_md has a number of other "how to". The Apache docs have good install info and general reference.

You could do a similar idea with Certbot. But, your Certbot version is very old (current is 5.2.2) and using snap install is recommended (although pip venv is possible). There are big advantages for getting current like supporting ARI and profiles which are important when dealing with upcoming cert life shortening. I think you'll find using mod_md is easier than reworking your install method for Certbot.

@saudiqbal I hadn't heard of VPS before now. If I understand it correctly, I don't think the VPS idea would work for me. My web server is also a reverse proxy for other web apps, like zoneminder. And I don't feel comfortable letting my security camera footage out of my home. But I appreciate the suggestions.

@MikeMcQ, Let me make sure I understand what you're suggesting. If I can eliminate the need for a wildcard cert, I could use http instead of dns to prove I'm in control of my domain, right? And then I don't need to change my domain registrar or dns service, right?

Do I need a wildcard cert? Well, for historical reasons I'd like to continue to support access to my web server using www.hbuus.com, www2.hbuus.com as well as mail.hbuus.com and hbuus.com. Please explain what you mean by proper planning? Is there a way I can support those sub-domains without a wildcard cert?

I will look into mod_md. I wasn't aware of it. Thanks for pointing out its existence.

I'll also have to check the changelogs for certbot. My family member's web/email server is on ubuntu 24.04 and the certbot version available on that distro via apt is 2.9.0. So both debian bookworm and ubuntu 24.04 packages are 3 major versions behind! Is there that much churn in certbot development?

And Thanks everyone for your suggestions!

@Osiris. I hadn't heard of self hosted acme-dns. I'll have to look into that. Thanks for the suggestion. I probably won't get a chance to follow up on this or @MikeMcQ's suggestion re: mod_md, until after the holidays. Guess I'm going manual renewal for at least one more iteration

Correct. Apache mod_md also supports tls-alpn challenge on port 443 (Certbot does not support tls-alpn - not many clients do).

Correct. Note you don't need to change your registrar. Just the DNS provider if you need to for DNS API to automate the DNS challenge

Sure, just get a cert with those explicit names in it. Apache mod_md takes care of that using MDomain statements in your Apache config. With Certbot you just add -d options for each domain name. And, have your Apache setup to be able to handle the incoming HTTP challenge.

Yes, especially in the past year with ARI and Profile support amongst others. This is why the Certbot team recommends using the snap install method which keeps it up to date. Or, if you know pip well enough setup a virtual env for it.