Options For Automated Renewals

Hi @borsaid,

This does depend on who the DNS hosts for each domain are, because each provider may (or may not) offer an API, with a different interface and presumably different credentials, to update records programmatically.

An increasing number of Let's Encrypt clients have support for doing this from software and/or calling an external script, but in each case the details depend on the particular DNS provider hosting the domain's DNS zone, and on what APIs that provider offers to handle these updates.

If you do have any DNS zone that you can update programmatically from a renewal script, there's a cool trick that you can use to use that zone for all of the hostnames. This is based on setting a CNAME record for the _acme-challenge record under each name that you care about to some corresponding record in a different zone. For example, you could set _acme-challenge.sonicwall.example.com. IN CNAME sonicwall-challenge.easier-to-update-otherdomain.com. and after doing so, you can complete a Let's Encrypt DNS-01 challenge for sonicwall.example.com by placing a TXT record at sonicwall-challenge.easier-to-update-otherdomain.com.

Also, starting at the end of this month, Let's Encrypt will offer wildcard certificates. In that case if you have an appropriate ACMEv2-compatible client and you can do an appropriate DNS validation to prove your control, you can get a certificate that will be valid for all of these names.

2 Likes