Renewal of a wildcard certificate with 0.26.01 (--preferred-challenges dns)


#1

Hi guys,
I’m writing a guide (in italian) about “how to get wildcard certificates with Let’s Encrypt”.

I’m using certbot 0.26.1.

I successfully got a wildcard certificate with certbot --email mioindirizzo@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d 'miosito.com,*.miosito.com'. Easy peasy.

Now I’m trying to understand how the renewal will work. I found conflicting messages around: someone (and the output of the command itself) says that the standard letsencrypt-auto renew will work as usual, someoneelse says that this won’t work due to --preferred-challenges dns needing a specific API DNS-side.

I suppose that, if the DNS TXT codes being generated by the renewal is the same, the renew will work. If the renewal will generate new DNS TXT codes this can’t work.

What should I expect?


#2

Ok, I found my own answer:

letsencrypt-auto renew --force-renewal

 The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

So it’s true, you can’t auto-renew without an API :frowning:


#3

You will get a new token when you renew, which will need to be applied to your DNS zone just like the initial one.

Additionally, Certbot will error out on the automated renewal command, unless you provide a --manual-auth-hook flag with the path to a script that will apply the DNS record. Without this, you will need to renew manually every couple months, reapplying the new DNS record each time.

Ideally, you might consider using a DNS authenticator plugin that can talk with your DNS provider (acme.sh has better support for more providers that Certbot, but the gap is narrowing), or use something like acme-dns to handle this for you if your DNS host does not provide an API.


#4

Thanks @jared.m I appreciated your detailed answer.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.