loading...

Let's Encrypt: Renew Wildcard Certificate With Certbot

nabbisen profile image Heddi Nabbisen ・2 min read

SSL/TLS certificates with Let's Encrypt (3 Part Series)

1) Let's Encrypt: Certbot For OpenBSD's httpd 2) Let's Encrypt: Wildcard Certificate With Certbot 3) Let's Encrypt: Renew Wildcard Certificate With Certbot

In order to revew Let's Encrypt wildcard certificates (via not HTTP-01 challenge but DNS-01 challenge) with certbot, all what to do is to follow the same process of the first time.
Just run:

# certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>" -d <your-domain>

The result begins with:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for <your-domain>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

and then is followed by:

Please deploy a DNS TXT record under the name
_acme-challenge.<your-domain> with the following value:

<txt-record-value-given>

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Write <txt-record-value-given> into the DNS TXT record named "_acme-challenge" of the domain.
After a while, press Enter.
The result is:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<your-domain>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<your-domain>/privkey.pem
   Your cert will expire on 2019-10-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now it's done :)


Besides, if you use:

# certbot renew

the error occurs:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<your-domain>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (<your-domain>) from /etc/letsencrypt/renewal/<your-domain>.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

SSL/TLS certificates with Let's Encrypt (3 Part Series)

1) Let's Encrypt: Certbot For OpenBSD's httpd 2) Let's Encrypt: Wildcard Certificate With Certbot 3) Let's Encrypt: Renew Wildcard Certificate With Certbot

Posted on Apr 16 '19 by:

nabbisen profile

Heddi Nabbisen

@nabbisen

An ICT designer/developer and a security monk. "With a cool brain and a warm heart", I am challenging unsolved problems in our society. I use OpenBSD/Rust/etc.

Discussion

markdown guide
 

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...

 

Hi,
is it possible to renew wildcard domain automatically without dns intervention?

 

Hi, Edi,

@daniel15 kindly told me there is help named "acme-dns" :)

The overview described in github repository is:

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

Relatively, it seems more difficult than to use certbot renew and cron.

Besides, I haven't used it yet because I'm moving to OpenBSD's acme-client.