Renewing a "wildcard" certificate by DNS challenge

This guide explains how renew a wildcard certificate via DNS challenge using Certbot.

Create an API Token Infomaniak

To this end:

1. Click here to access API management on the Infomaniak Manager (Need help?).
2. Create an API token with the "domain" scope.
3. Note this token for further use.

Generate wildcard certificate

Run the Certbot command with the following settings:

certbot certonly --manual -d *.domain.tld --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Create TXT record

Create the TXT record for _acme_challengez.domain.tld manually from the Infomaniak interface.

Configure autorenewal

Create the renewal configuration file

Create or edit the file /etc/letsencrypt/renewal/domain.tld.conf with the following information:

	[...]	
	[renewalparams]	
	account = xxxxx	
	pref_challs = dns-01,	
	server = https://acme-v02.api.letsencrypt.org/directory	
	authenticator = manual	
	manual_auth_hook = /root/infomaniak-auth.sh	
	key_type = rsa

Create script infomaniak-auth.sh

Create File /root/infomaniak-auth.sh with the following content:

	#!/bin/bash	
	INFOMANIAK_API_TOKEN=XXXXXXX	
	certbot certonly \	
	--authenticator dns-infomaniak \	
	--server https://acme-v02.api.letsencrypt.org/directory \	
	--agree-tos \	
	--rsa-key-size 4096 \	
	-d $CERTBOT_DOMAINdsqqds

Replace XXXXXXX by your Token Infomaniak API.

Automatic renewal

Plan for regular execution of certbot renew via a cron task to take into account the configuration file and automatically renew your certificate at regular intervals.

0 0 */x * * /usr/bin/certbot renew --quiet --config /etc/letsencrypt/renewal/domain.tld.conf

Replace /x by the desired frequency of renewal, e.g. every 30 days.

Important remarks

• Protect configuration files and scripts containing sensitive information such as token APIs.
• Test the manual and automatic renewal process to ensure that everything works properly before the expiry date of the existing certificate.