DEV Community

nabbisen
nabbisen

Posted on • Edited on

Let's Encrypt: Renew Wildcard Certificate With Certbot

In order to revew Let's Encrypt wildcard certificates (via not HTTP-01 challenge but DNS-01 challenge) with certbot, all what to do is to follow the same process of the first time.
Just run:

# certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>" -d <your-domain>
Enter fullscreen mode Exit fullscreen mode

The result begins with:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for <your-domain>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enter fullscreen mode Exit fullscreen mode

and then is followed by:

Please deploy a DNS TXT record under the name
_acme-challenge.<your-domain> with the following value:

<txt-record-value-given>

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Enter fullscreen mode Exit fullscreen mode

Write <txt-record-value-given> into the DNS TXT record named "_acme-challenge" of the domain.
After a while, press Enter.
The result is:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<your-domain>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<your-domain>/privkey.pem
   Your cert will expire on 2019-10-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Enter fullscreen mode Exit fullscreen mode

Now it's done :)


Besides, if you use:

# certbot renew
Enter fullscreen mode Exit fullscreen mode

the error occurs:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<your-domain>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (<your-domain>) from /etc/letsencrypt/renewal/<your-domain>.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
Enter fullscreen mode Exit fullscreen mode

Top comments (13)

Collapse
 
jgutix profile image
Juan Gutiérrez

The second domain (the one without the wildcard) is no longer necessary, if you type it, certbot will ask for two challenges for the same record so it will fail, it should be just like this:

# certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>"

Collapse
 
nabbisen profile image
nabbisen • Edited

Hello, Juan. Thank you very much for your information 😃
Well, excuse me but I wonder why I succeeded in renewing with multiple -d options of subdomains and domain last week. Therefore, I don't know if I should edit my posts...🤔
Would you mind if I ask some official documentation or release information? I'm sorry I couldn't find anything in eff.org, letsencrypt.org and certbot.eff.org.

Collapse
 
jgutix profile image
Juan Gutiérrez • Edited

I'm not sure if it's documented in any other site, it's just that happened to me. I remember your command worked for me some months ago, but this time (yesterday) only had to do the wildcard one.

Example

Thread Thread
 
nabbisen profile image
nabbisen

Juan, thank you again for the detail. I understand what happened.
I'll try by myself again in a couple of weeks and check the result 😉

Thread Thread
 
nabbisen profile image
nabbisen

@jgutix
Hello, I have finished my latest trial 😃 It was successful today.
I got the same messages you put as image above. I prepared 2 DNS TXT records, waited for a while and then pressed Enter.

Is it possible DNS propagation affects your results: failure first and success next? Hmm, I know, however, you succeeded some months ago. it's just one of my suppositions... 🤔

Thread Thread
 
jgutix profile image
Juan Gutiérrez

@nabbisen forgot to update this, so it turns out it didn't actually renew the root cert, only renew the wildcard since that's the one I ran the command for. This means I had to run twice, one for each wildcard and root domains. But you're saying you only ran the same one? But how so if the DNS record is the same with different values? Maybe you update your post to explain that process, I for one don't know how to do it.

Thread Thread
 
nabbisen profile image
nabbisen

@jgutix
Hello. I'm sorry for my late reply.
As I wrote in my post:

certbot ... -d "*.<your-domain>" -d <your-domain> ...
Enter fullscreen mode Exit fullscreen mode

I used two -d options at the same time. For example, it was certbot ... -d "*.some.domain" -d some.domain ... .
Does it mean to "run twice, one for each wildcard and root domains" as you wrote🙂?

Collapse
 
masedi profile image
Edi Septriyanto

Hi,
is it possible to renew wildcard domain automatically without dns intervention?

Collapse
 
nabbisen profile image
nabbisen • Edited

Hi, Edi,

@daniel15 kindly told me there is help named "acme-dns" :)

The overview described in github repository is:

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

Relatively, it seems more difficult than to use certbot renew and cron.

Besides, I haven't used it yet because I'm moving to OpenBSD's acme-client.

Collapse
 
raffieyeah profile image
Rafael

Heddi, thanks for sharing your tutorial. Reading trough the manual, doesn't seem like the openbsd acme-client supports DNS challenge. Any thoughts?

Thread Thread
 
nabbisen profile image
nabbisen

Hello, Rafael.

Sorry that I knew little about non-http-01 challenges with OpenBSD's acme-client.
You might be perhaps right. acme-client's documentation says:

acme-client implements the “http-01” challenge type

According to the original writer, Kristaps, it had -t option to use custom challenges, but they were "too system-specific to provide in a safe manner".

Thread Thread
 
raffieyeah profile image
Rafael

Thanks!

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...