Renew letsencrypt SSL Certificates generated by DNS Challenge

kaushalshriyan · October 21, 2022, 5:20pm

Hi,

I ran the below command on CentOS Linux release 7.9.2009 (Core) to generate Let's Encrypt SSL certificate using DNS challenge. The Let's Encrypt SSL certificate got generated and is valid for 90 days.

certbot -d apihub.mydomain.io --manual --preferred-challenges dns certonly

certbot --version
certbot 1.11.0

#cat /etc/systemd/system/certbot-renewal.service
[Unit]
Description=Certbot Renewal

[Service]
ExecStart=/usr/bin/certbot renew "service nginx stop" --post-hook "service nginx start"
#

# cat /etc/systemd/system/certbot-renewal.timer
[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target
#

Please advise me if the above approach is correct to renew the Let's Encrypt SSL certificate for the FQDN apihub.mydomain.io after 90 days? Any port number to be opened inbound and outbound in the firewall to renew the Let's Encrypt SSL certificate?

Thanks in Advance

Best Regards,

Kaushal

danb35 · October 21, 2022, 5:26pm

No, it isn't.

certbot renew won't work with certs obtained using the --manual flag--the renew command is for automatic renewal, and the --manual flag, by definition, requires manual intervention. Remaining points assume you come up with a way to automate this.
The syntax of the command is incorrect; if you wanted to stop nginx before obtaining the cert (which you shouldn't; see below), you're missing --pre-hook before the "service nginx stop".
As noted above, there's no reason to be stopping and starting nginx; that would only be necessary if you were using standalone (which wouldn't seem to make much--if any--sense if you're running nginx). Instead, run service nginx reload as a post-hook.

Bruce5051 · October 21, 2022, 5:26pm

Is that the correctly typed domain name? I am ask since I do not see any issued certificates for that domain name spelling here: crt.sh | apihub.mydomain.io
Just want to make sure I have not created a typo.

danb35 · October 21, 2022, 5:27pm

I'm sure that mydomain.io is another placeholder domain from a yet another user who thinks that, despite what we say in the post template, we don't really need the true domain name.

Bruce5051 · October 21, 2022, 5:29pm

However a side note then it did pass the https://letsdebug.net/ HTTP-01 and DNS-01 Challenges.
HTTP-01 Let's Debug
DNS-01 Let's Debug

rg305 · October 21, 2022, 6:09pm

Using a DNS challenge would not require stopping the web service.
A simple "--deploy-hook service nginx reload" would be sufficient.

kaushalshriyan · October 21, 2022, 6:16pm

@rg305

Thanks a lot for the suggestion. I have modified as per below. Please correct me if I am missing anything.

#cat /etc/systemd/system/certbot-renewal.service
[Unit]
Description=Certbot Renewal

[Service]
ExecStart=/usr/bin/certbot renew --deploy-hook "service nginx reload"
#

Thanks in Advance

Best Regards,

Kaushal

rg305 · October 21, 2022, 6:19pm

That is slightly better.
But if it hinges on a manual DNS certificate issuance, it will be impossible to renew without continued manual intervention.

kaushalshriyan · October 21, 2022, 6:19pm

Hi,

I have a follow up question regarding DNS challenge.

How do i generate a Let's Encrypt SSL certificate using DNS challenge for a new domain. For example swagger.mydomain.io is the new FQDN.

Is it as per below?

certbot -d swagger.mydomain.io --preferred-challenges dns certonly

Please advise me. Thanks in Advance

Best Regards,

Kaushal

rg305 · October 21, 2022, 6:22pm

You could simple do:
certbot
And answer all the questions presented.
And take the necessary actions when directed.

kaushalshriyan · October 22, 2022, 12:17am

@rg305 I am trying to invoke certbot using DNS challenge for a new domain. I am facing the below issue

# **certbot**
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

# **certbot certonly**
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
(dns-rfc2136)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

# rpm -qa |grep certbot
python2-certbot-1.11.0-2.el7.noarch
certbot-1.11.0-2.el7.noarch
python2-certbot-dns-rfc2136-1.11.0-1.el7.noarch

# certbot --version
certbot 1.11.0
#

certbot -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

Please advise me. Thanks in Advance

Best Regards,

Kaushal

kaushalshriyan · October 22, 2022, 12:51am

@rg305 I tried doing the below steps

certbot certonly --preferred-challenges dns -d "swagger.mydomain.io"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
(dns-rfc2136)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-rfc2136, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for swagger.mydomain.io
Performing the following challenges:
dns-01 challenge for swagger.mydomain.io
Input the path to your RFC 2136 credentials INI file (Enter 'c' to cancel): /opt/credentials.ini

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Missing property in credentials configuration file /opt/credentials.ini:
 * Property "dns_rfc2136_server" not found (should be The target DNS server).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Input the path to your RFC 2136 credentials INI file (Enter 'c' to cancel):

# cat /opt/credentials.ini
# Target DNS server (IPv4 or IPv6 address, not a hostname)
dns_rfc2136_server = 
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = swagger
# TSIG key secret
dns_rfc2136_secret = xxxxxxxxxxxxxxxxxxx
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

I am not sure what should be the value of dns_rfc2136_server property for GoDaddy DNS services.

Please advise me. Thanks in Advance

Best Regards,

Kaushal

kaushalshriyan · October 30, 2022, 6:45pm

@rg305

Please advise me. Thanks in Advance

Best Regards,

Kaushal

Osiris · October 30, 2022, 6:56pm

I'm pretty sure GoDaddy doesn't use RFC2136 to update the DNS records.

From the beginning of this thread you've used the dns-01 challenge, but is that really necessary? No possibility for the way more easy (usually) http-01 challenge?

rg305 · October 30, 2022, 9:22pm

I have no experience with DNS-01 authorizations and GoDaddy; So, I can't really add useful advice.

system · November 29, 2022, 9:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.