Renewal of cert when using manual dns-01

I use certbot with http-01. Now my needs changed so I need a wildcard cert, and I read that I must change to dns-01.

My domain registrar doesn’t have an API, so I can’t use automation. I read in the docs that I must perform cert issuance “manually” - i.e. copy-paste by hand into a TXT record in my zonefile.

What about renewal - will I need to perform this manual action every 90 days, or is there an automated approach once the TXT is in place?

The record will change at every renewal, yes. (More specifically, the record will change at least every 30 days, but the size of the interval is subject to change).

The easiest thing is to just pick a DNS host that does have an API. Cloudflare is free and has very fast anycast authoritative servers.

There are other solutions that don’t involve changing DNS hosts, though.

One is alias mode, where you setup _acme-challenge.example.com to be a CNAME to another domain, which you combine either with a client that supports alias mode or a higher level solution like acme-dns. Note though, that this requires having a second domain name.

You can also evaluate whether you really need a wildcard. Granted, sometimes you really do need one, but other times where it is for the sake of convenience, you can substitute a wildcard for a certificate with upto 100 subdomains.

Thanks for the info!

The acme-dns tool is very interesting, I’ve been reading the docs there before your answer. Please tell me if I understand correctly-

  • I add a subdomain foo.example.com
  • I add an NS record for foo, pointing to my VPS
  • On my VPS I set up acme-dns to perform dns-01 challenges
  • …and so this process is automated every 90 days

And so I now have a cert for *.example.com.

But you said I will need another domain?

Yes, you’re right - another zone* rather than another domain. foo.example.com would be a separate zone to example.com.

You do still need to use an ACME client (https://github.com/joohoi/acme-dns#clients) to actually issue the certificate, but otherwise, you seem to understand it perfectly.

1 Like

Oh! I thought I must use certbot.

Thanks for your advice!

You can definitely keep using Certbot if you’re already using it - there’s an acme-dns hook available for it: https://github.com/joohoi/acme-dns-certbot-joohoi

1 Like

By the way I will take your advice and simply add subdomains to my cert. You are right it’s easier.

(The only downside is a wildcard is better because it “hides” your subdomains, so bad guys don’t know about them and attack them!)

Hah, I often lament the death of redacted precertificates :frowning: . Just today I setup a wildcard for a business to avoid disclosing our customer list.

1 Like