Wildcard certificate renewal

I need to renew my certificate without manual dns entry.

i used below command to create certificate :
sudo certbot certonly --email <>email -d *. --agree-tos --manual --server https://acme-v02.api.letsencrypt.org/directory

certbot renew not working for wildcard.

No, certbot renew won’t work if you issued the cert in manual mode. You’ll need a DNS host that has a supported API, and a hook script for certbot that knows how to update DNS records at that host. Alternatively, you’ll need a different ACME client that supports your DNS host (acme.sh supports over 50 DNS hosts, for example).

Any time you issue or renew the cert, Let’s Encrypt needs to validate control. If you’re using DNS validation, the records will be different each time.

Thanks for the reply .

I am using Azure DNS. I check and found acme.sh in below git repo https://github.com/Neilpang/acme.sh.

Can you please let me know what command i need to execute to renew my certificate. Do i need to provide additional information or it will renew certificate automatically which is created by the command which is provided earlier.

acme.sh does support Azure DNS:

When you install acme.sh, it automatically sets up a renewal task, so once you issue the cert with it, renewals should be automatic. So, you’ll need to follow the instructions at the links above (they look the same, but they are two separate links) to issue the cert, and probably update your configuration to use the cert/key files in the location where acme.sh saves them. After that, it should renew automatically from there.

I already have a running certificate. After install acme.sh file . please guide me for below points. because website is already running in production and it will expire soon.

  1. should i need to create a new one or just renew will work.
  2. I need wildcard certificate, The script Support ACME v1 and ACME v2 , do i nned to provide ACME v2 or it will automatically create wildcard certificate.
  3. I also have service principal shold i need to regenerate or i can use those.

You’ll need to create a new one; acme.sh won’t “renew” a cert from certbot.

No, acme.sh should automatically use that.

I’m afraid I don’t understand the question.

Thanks danb35 , for your reply.

Let me try with the script. is there anything i need to setup for renew , as i can check there a command for renew as well. But for renew test can i execute renew command after creating the certificate or it will renew only few days before expiration.

acme.sh --renew-all
should try to renew all certs.
But it will only renew the ones within the last 30 days of cert life.
It does set up a cron job to automatically try to renew them all daily.

is there any way for testing … is renew working fine or not after creating the certificate and implement scheduling this

You can manually force a renewal as a test.
But that should not be necessary; If it got a cert it can and will renew it.
You should use a cert monitoring program to alert you that your cert is nearing expiration (if ever).
Registering an email address with LE will automatically provide that address “alerts”.
A very good third party tool for notifications is: https://keychest.net/

After executing issue command i got .cer and .key files in my .acme.sh folder. How we can use this certificate with domain. Do we manual upload certificate or deploy command will work.

Will this script attach automatically certificate with appGatewayHttpListener or we have manually do it.

You will need to do it manually. But only once.
The renewals will keep using the same file names in the same location.

rg305 can you please guide me on this… how i can upload ,or it is also manual first time …
also the issue command gives .cer and .key files.

If your site is already TLS enabled, you simply need to update the config to use the newly created files.
I can’t tell from reading through this topic thread if you already have TLS working nor what web server you are using nor what your domain name is…

@danb35 @rg305

My Domain is myaddressline.com.
I create a certificate and add this in azure app gateway. After renew command it create a certificate but did not reflect on site. DO i need to manual upload again for renew certificate.

I execute following commands :
./acme.sh --issue --dns dns_azure -d *.myaddressline.com
./acme.sh --install-cert --dns dns_azure -d *.myaddressline.com
./acme.sh --renew --dns dns_azure -d *.myaddressline.com --force


First, confirm that you have a cert: ./acme.sh --list
If none then back to square one.

Otherwise, then do either:

  • update an existing cert used in your web server config
    [update which cert to use]
  • install the new cert into your web server config
    [use cert - first time]

Where, and how, your “install” the cert depends on which web server used (Apache, IIS, LightSpeed, NGINX, Tomcat, etc.) and weather you have already enabled TLS for that domain.

If this is the first time, then you should review “how to” enable TLS for your specific web server.
If this is an update, then you can use the ./acme.sh --install parameter to update the current path in your config to use the newly created cert.

I have azure application gateway. certificate i am using for application gateway behind this my application is running as beck end pool in azure

Does that use a control panel?
Or do you have to do things manually?

EDIT: I found some related documentation online that show some steps I found … “confusing” at best:

  • Generate .pfx format for azure environment [Why?]
  • Attach this file to application gateway http listener [Why?]
  • Automate the whole process with Azure ARM template [didn’t show how]

EDIT EDIT: This one looks “easier” to follow:

Hi already go with this. this is example of certbot. and not able to generate wildcard certificate using this. so i go for acme.sh , it is generating certificate and renew as well. but to install with api gateway looking for auto deploy this certificate.