Skip to content

SSL renewal with LetsEncrypt (part 3)

This is the third (and hopefully last) post about my trials and tribulations with SSL renewal with LetsEncrypt. I’d resigned myself to having to ditch wildcard certificate. Instead, I’d have to create a standalone one for every subdomain I needed one for.

Recently, I stumbled on some information (don’t ask me how). It claimed it could create widcard certificates which would automatically renew when required.

The process required two things, for your domain registrar (or whoever manages the DNS for your domain) to offer API access for DNS changes, and for someone to have written a script or piece of software which could access and make alterations to your hostname’s DNS configuration via the API.

My registrar, which both manages my domains and the DNS configuration for them, is Joker. Whilst it’s not immediately obvious, they do seem to offer API access, even if you don’t have a reseller account.

The next crucial find, was a script designed for Joker that once configured would create renewable wildcard certificates. That script was certbot-dns-joker. The example command posted on their site implied that I could create one certificate for both the root domain, and it’s wildcards. This wasn’t the case, however, but it was no trouble using this script for the wildcard, and another command for the root domain.

After a bit of experimentation the command I used to create the wildcard certificate was

certbot certonly --authenticator dns-joker --dns-joker-propagation-seconds 30 --dns-joker-credentials /etc/letsencrypt/secrets/dh.txt -d *.dannyhorne.com

A renewal dry run shows that the wildcard certificate will be renewed

root@strangeminds:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/dannyhorne.com-0001.conf


Simulating renewal of an existing certificate for *.dannyhorne.com
Waiting 30 seconds for DNS changes to propagate


Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/dannyhorne.com-0001/fullchain.pem (success)


Hopefully this closes the door on my LetsEncrypt saga and my SSL renewal with LetsEncrypt sagas are over

Published inSSL

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *