loading...

Let's Encrypt: Renew Wildcard Certificate With Certbot

nabbisen profile image Heddi Nabbisen ・2 min read

In order to revew Let's Encrypt wildcard certificates (via not HTTP-01 challenge but DNS-01 challenge) with certbot, all what to do is to follow the same process of the first time.
Just run:

# certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>" -d <your-domain>
Enter fullscreen mode Exit fullscreen mode

The result begins with:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for <your-domain>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enter fullscreen mode Exit fullscreen mode

and then is followed by:

Please deploy a DNS TXT record under the name
_acme-challenge.<your-domain> with the following value:

<txt-record-value-given>

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Enter fullscreen mode Exit fullscreen mode

Write <txt-record-value-given> into the DNS TXT record named "_acme-challenge" of the domain.
After a while, press Enter.
The result is:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<your-domain>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<your-domain>/privkey.pem
   Your cert will expire on 2019-10-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Enter fullscreen mode Exit fullscreen mode

Now it's done :)


Besides, if you use:

# certbot renew
Enter fullscreen mode Exit fullscreen mode

the error occurs:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<your-domain>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (<your-domain>) from /etc/letsencrypt/renewal/<your-domain>.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
Enter fullscreen mode Exit fullscreen mode

Discussion

pic
Editor guide
Collapse
joglomedia profile image
Edi Septriyanto

Hi,
is it possible to renew wildcard domain automatically without dns intervention?

Collapse
nabbisen profile image
Heddi Nabbisen Author

Hi, Edi,

@daniel15 kindly told me there is help named "acme-dns" :)

The overview described in github repository is:

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

Relatively, it seems more difficult than to use certbot renew and cron.

Besides, I haven't used it yet because I'm moving to OpenBSD's acme-client.

Collapse
raffieyeah profile image
Rafael

Heddi, thanks for sharing your tutorial. Reading trough the manual, doesn't seem like the openbsd acme-client supports DNS challenge. Any thoughts?

Thread Thread
nabbisen profile image
Heddi Nabbisen Author

Hello, Rafael.

Sorry that I knew little about non-http-01 challenges with OpenBSD's acme-client.
You might be perhaps right. acme-client's documentation says:

acme-client implements the “http-01” challenge type

According to the original writer, Kristaps, it had -t option to use custom challenges, but they were "too system-specific to provide in a safe manner".

Thread Thread
raffieyeah profile image
Rafael

Thanks!

Collapse
dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...