Renew domains using certbot and using DNS challenge
Solution 1:
Updated answer (see original answer below)
In my original answer I focused on the fact that the script you provided is not required when using the renew
command. However, I did not make sure the renew
command is actually applicable in this scenario.
As cdhowie and bobpaul in the comments state: certbot renew
is a non-interactive mode that - in conjunction with the dns challenge - requires you to provide a script via the --manual-auth-hook
parameter. Said script must be capable of setting a TXT
record. You can also provide another script to cleanup afterwards via the --manual-cleanup-hook
parameter.
If you provide these parameters, the whole process will run automatically without any interaction.
If you do not provide these parameters, certbot will fail:
/opt/certbot # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foobar.w9f.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
If you want to renew your certificates via the manual mode, you must re-run the commands you used to acquire the certificates. In this case, your script is a nice option since the certonly
command does not look at the present certificates/configuration and instead requires you to provide the domain names either via the -d
parameter or in interactive mode.
when I run "certbot renew", will it renew all of them automatically without using my script?
TL;DR: Yes, it should.
Let us have a look at the documentation of certbot:
As of version 0.10.0, Certbot supports a renew action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply
certbot renew
So far, so good.
This command attempts to renew any previously-obtained certificates that expire in less than 30 days.
This should answer your question. Beware: Im not aware how well certbot
can handle situations where you move the certificates to different directories.
Later in the same paragraph:
The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options. Unlike
certonly
,renew
acts on multiple certificates and always takes into account whether each one is near expiry.
So, yes; certbot
should renew all your certificates without the help of your script.
How do I actually create a new certificate using the DNS challenge to start with?
What's wrong with the command you posted at the beginning of your post?
certbot -d example.com --manual --preferred-challenges dns certonly
will acquire a certificate for example.com using the dns challenge.
The steps to create a certificate are:
- Run the
certbot
command you posted - Wait for the command to show you a DNS TXT record
- Create that TXT record
- Continue the
certbot
command - Get a certificate for the specified domain
- Delete the TXT record (since you only need it for the creation and a new one for the renewal)
If you want to automate that complete process, you might want to have a look at a tool like lego which supports a couple of DNS providers.