Recently I blogged about problems with SSL renewal with LetsEncrypt, you can find that post here. To summarise, I was trying to renew wildcard certificates, but despite the response from Certbot saying all was well, it clearly wasn’t.
I’ve now discovered that it was the wildcard portion of my certificate request that was the problem. Despite telling me all was well and the certificate would be renewed, I’ve now found that they cannot be renewed using the http-01 authenticator.
It seems wildcard certificates need to use a DNS authenticator. This can be difficult, if not impossible to achieve using automation. This is because a TXT record (supplied by LetsEncrypt) has to be inserted into the domain’s DNS record. If your domain registrar doesn’t provide some sort of API access to automate the procedure, you’re stuck. You’d also need some sort of script to make use of that API access.
The only solution for me was to ditch the wildcard certificate and create new ones for every hostname that needed one. This took my certificate count for that domain from one to five. When I try the following to simulate certificate renewal
certbot renew -v --dry-run
all certificates renewed successfully, job done. SSL renewal with LetsEncrypt is alive and well
Be First to Comment