I have a web server on which I apply different rewrite rules in order to redirect all http(s)://*.website.com requests to the same URL : https://website.com. Everything is working fine as expected.
Now, I would like to make the renewing of certificates (built by letsencrypt) in an automatic way.
Unfortunately, for the moment, I have to do it manually and the ideal is to do it by a simple script called from a crontab (I would like to renew certificates every 2 months).
Currently, I am using the following script certbot-auto (from https://github.com/certbot/certbot/blob/master/certbot-auto) this way :
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -d website.com -d *.website.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096
Here the output I get from this command :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/website.com.conf with version 0.31.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for website.com
dns-01 challenge for website.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/website.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/website.com/privkey.pem
Your cert will expire on 2020-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(23) Failed writing body
As you can see, I have to put manually on my VPS DNS account 2 TXT fields named _acme-challenge.website.com and containing :
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
and
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
I wonder if there is a way to automate this registration of TXT fields or if there is another way to launch a simple command or script in crontab (executed every 2 months) to avoid all these manual operations ?
All of this seem to be relatively heavy to do each time I want to renew these certificates (4 files below) :
$ ls /etc/letsencrypt/live/website.com/
privkey.pem@ fullchain.pem@ chain.pem@ cert.pem@
The registration of DNS TXT-Records can be automated if you access to programmatically modify records - so you own the DNS server or your provider has an API for you.
Here are some: