1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Renew a "wildcard" certificate via DNS challenge
This guide explains how to renew a wildcard
certificate via DNS challenge using Certbot
.
Preamble
- Make sure to protect the configuration files and scripts containing sensitive information such as API tokens.
- Test the manual and automatic renewal process to ensure everything works correctly before the expiration date of the existing certificate.
Generate the wildcard certificate
Prerequisites
- Click here to access API management on the Manager Infomaniak (need help?).
- Create an Infomaniak API token with the scope "domain".
- Save this token for later use.
From a terminal application (command line interface, CLI) on your device, for example cmd on Windows or Terminal (installed by default on macOS), run the Certbot command with the following parameters:
certbot certonly --manual -d *.domain.tld --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Create the TXT record
Create the TXT record for _acme_challengez.domain.tld
manually from the Infomaniak interface.
Set up automatic renewal
Create the renewal configuration file
Create or edit the file /etc/letsencrypt/renewal/domain.tld.conf
with the following information:
[...]
[renewalparams]
account = xxxxx
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
manual_auth_hook = /root/infomaniak-auth.sh
key_type = rsa
Create the script infomaniak-auth.sh
Create the file /root/infomaniak-auth.sh
with the following content:
#!/bin/bash
INFOMANIAK_API_TOKEN=XXXXXXX
certbot certonly \
--authenticator dns-infomaniak \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
--rsa-key-size 4096 \
-d $CERTBOT_DOMAINdsqqds
Replace XXXXXXX
with your Infomaniak API Token.
Automatic renewal
Schedule regular execution of certbot renew
via a cron job to account for the configuration file and automatically renew your certificate at regular intervals.
0 0 */x * * /usr/bin/certbot renew --quiet --config /etc/letsencrypt/renewal/domain.tld.conf
Replace /x
with the desired renewal frequency, for example every 30 days.