Renew domains using certbot and using DNS challenge

lets-encrypt certbot

59,966

Updated answer (see original answer below)

In my original answer I focused on the fact that the script you provided is not required when using the renew command. However, I did not make sure the renew command is actually applicable in this scenario.

As cdhowie and bobpaul in the comments state: certbot renew is a non-interactive mode that - in conjunction with the dns challenge - requires you to provide a script via the --manual-auth-hook parameter. Said script must be capable of setting a TXT record. You can also provide another script to cleanup afterwards via the --manual-cleanup-hook parameter.

If you provide these parameters, the whole process will run automatically without any interaction.

If you do not provide these parameters, certbot will fail:

/opt/certbot # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foobar.w9f.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

If you want to renew your certificates via the manual mode, you must re-run the commands you used to acquire the certificates. In this case, your script is a nice option since the certonly command does not look at the present certificates/configuration and instead requires you to provide the domain names either via the -d parameter or in interactive mode.

when I run "certbot renew", will it renew all of them automatically without using my script?

TL;DR: Yes, it should.

Let us have a look at the documentation of certbot:

As of version 0.10.0, Certbot supports a renew action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply

certbot renew

So far, so good.

This command attempts to renew any previously-obtained certificates that expire in less than 30 days.

This should answer your question. Beware: Im not aware how well certbot can handle situations where you move the certificates to different directories.

Later in the same paragraph:

The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options. Unlike certonly, renew acts on multiple certificates and always takes into account whether each one is near expiry.

So, yes; certbot should renew all your certificates without the help of your script.

How do I actually create a new certificate using the DNS challenge to start with?

What's wrong with the command you posted at the beginning of your post? certbot -d example.com --manual --preferred-challenges dns certonly will acquire a certificate for example.com using the dns challenge.

The steps to create a certificate are:

Run the certbot command you posted
Wait for the command to show you a DNS TXT record
Create that TXT record
Continue the certbot command
Get a certificate for the specified domain
Delete the TXT record (since you only need it for the creation and a new one for the renewal)

If you want to automate that complete process, you might want to have a look at a tool like lego which supports a couple of DNS providers.

59,966

Merc

Updated on September 18, 2022

Comments

Merc 3 months
I created several SSL certificates for several domains using the standalone method. I am only interested in the certificates, without server integration.

They are now for renewal. So, I ran:
```
certbot -d example.com --manual --preferred-challenges dns certonly
```
And followed the instructions for each domain (adding the required DNS entry for each one). This way, I didn't have to stop the server and got my new certificates.

My (vague) understanding of it all is that there is no current way to renew certificates automatically using the DNS challenge. Or maybe you can't renew certificates automatically for the "manual" method?

Anyhow, I, wrote this script:
```
#!/bin/bash
for i in renewal/*;do
  n=${i:8:-5};
  echo $n;
  # echo "\n" | certbot --text --agree-tos -d $n --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly;
done
```
At this point, in the renewal directory ALL of the domains have:

authenticator = manual

And:
```
pref_challs = dns-01
```
Questions:
- Now... when I run "certbot renew", will it renew all of them automatically without using my script?
- How to I actually create a new certificate using the DNS challenge to start with?
Merc about 5 years

Fantastic, will let you know if it works in a couple of months!
cdhowie over 4 years

This answer is incorrect. certbot renew does not support the manual method without a script.
bobpaul almost 4 years

Yeah, so generally don't use --manual. The entire purpose of --manual is to force interactive mode. But you can use DNS plugins like aws or digitalocean for certonly without the --manual option and they will renew automatically before 90 days.
malte almost 4 years

Thanks for the input, I've updated the answer.