Renew DNS based wildcard cert

My domain is:

I ran this command: certbot certonly --manual --preferred-challenges dns --rsa-key-size 4096 -d gitlab.project-creative.net -d gitlab.aura-dev.team -d pages.project-creative.net -d pages.aura-dev.team -d *.pages.project-creative.net -d *.pages.aura-dev.team

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for pages.aura-dev.team
dns-01 challenge for pages.project-creative.net
dns-01 challenge for gitlab.aura-dev.team
dns-01 challenge for gitlab.project-creative.net
dns-01 challenge for pages.aura-dev.team
dns-01 challenge for pages.project-creative.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.pages.aura-dev.team with the following value:

p1ov1nvWYAuapO8kg6QjF4r387RMjYCS9K1NvoNmv3c

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

The operating system my web server runs on is (include version): Debian 10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


Alright. So I created a wildcard DNS certificate with the command above. I added all the challenges it asked me. That all worked out just fine. However this cert won’t auto renew and I don’t know what to do. Each time I run it asks me for new TXT records too.
I found the various related questions, however they all seem to have used an external dns auth plugin, which (to my knowledge) I didn’t.
Now frankly I don’t know how to proceed here

2 Likes

Welcome back. You are correct in that it will not auto renew due to --manual. Without deploying some hook to automatically create/destroy the DNS TXT records, automatic renewal is not possible. The TXT records will change each time to ensure that you still control the domains.

I cannot suggest switching to auto with http challenges because you’re using wildcard certs that require dns challenges.

2 Likes

So is the method outlined here still up to date?

1 Like

Honestly not sure. I don’t actually use certbot myself, but I’ve been picking up its nuances in guiding people. There are a ton of members here with more experience in this area than me, so I’m sure someone will come around shortly to guide you.

As a Namecheap user, you would be able to more easily use one of the ACME clients which supports issuing wildcard certificates automatically via the Namecheap API.

One option: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#53-use-namecheap

However, there is one particular pain with the Namecheap API, and that’s actually getting access to it. Here are the qualifications:

To qualify, you must have: Account balance of $50+, 20+ domains in your account, or purchases totaling $50+ within the last 2 years.

I have to come clean, I wrote that blog post at a time when I had a less than stellar understanding of all things Certbot. It could still work in theory but I have to discourage its use, just because over the long term, hacks like this tend to crop up with problems. I thought I had since delisted the page, but apparently people can still find it.

If you have access to the Namecheap API. try use a supported client like acme.sh as I linked above, or others who also have support, like lego, Posh-ACME etc.

If you don’t have access to the Namecheap API, you can try something like acme-dns or try choose another DNS host like Cloudflare or others that can easily work with ACME clients.

3 Likes

I do qualify for that. I’ve already generated my key.

Since I didn’t want to mess with my existing letsencrypt installation I opted to use your script. As with minimal adjustments related to paths and the auth parameters it works just fine.

Here’s my modified script for those future people that just want a working solution:

#!/usr/bin/env bash
pip3 install dns-lexicon urllib3 > /dev/null
pip3 install dns-lexicon[namecheap] > /dev/null
lexicon namecheap \
--auth-client-ip <extenal IP (needs to be whitelisted)> --auth-token <API Token> --auth-username <Username> \
"$1" "${CERTBOT_DOMAIN}" TXT \
--name "_acme-challenge.${CERTBOT_DOMAIN}" \
--content "${CERTBOT_VALIDATION}" || exit 255

if [ "$1" == "create" ]; then
  sleep 30
fi
2 Likes

Thanks @_az. Knew someone would be familiar.

1 Like

It is. The referenced article should be updated. However, certbot-auto (in the example) is pretty much the same to this day. (dependencies not withstanding)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.