CREATIVE CHAOS   ▋ blog

Certbot Wildcard Autorenew

PUBLISHED ON 15/01/2023 — EDITED ON 11/12/2023 — SYSOPS

Intro

Finally decided to research how to avoid the three month manual DNS TXT record pasting.

Tutorial for Debian 11 and DNS servers hosted on OVH.

Migrating the zones

Export DNS zone from the old DNS server.

Import it to OVH.

https://www.ovh.com/manager/#/web/zone/sablun.org

Change the NS at the domain registrar.

Review the propagation https://dnschecker.org/#NS/sablun.org

Generate OVH API key

https://certbot-dns-ovh.readthedocs.io/en/stable/

GET /domain/zone/*
PUT /domain/zone/*
POST /domain/zone/*
DELETE /domain/zone/*

Generate secrets config:

/etc/certbot/ovh.ini

# OVH API credentials used by Certbot
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

Installation

I needed to pin the package first:

/etc/apt/preferences

# Letsencrypt
Package: certbot python3-certbot python3-acme python3-acme-abi-1 python3-josepy python3-certbot-dns-ovh
Pin: release a=unstable
Pin-Priority: 900

Install the certbot plugin:

apt install python3-certbot-dns-ovh

Check status:

certbot plugins                                                                           
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-ovh
Description: Obtain certificates using a DNS TXT record (if you are using OVH
for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-ovh = certbot_dns_ovh._internal.dns_ovh:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renew the certificate

Old way of renewal:

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d \*.sablun.org -d sablun.org

New way of renewal:

certbot certonly \
  --dns-ovh \
  --dns-ovh-credentials /etc/certbot/ovh.ini \
  --dns-ovh-propagation-seconds 60 \
  -d \*.sablun.org \
  -d sablun.org
TAGS: CERTBOT, DEBIAN, OVH, SSL