On Fri, 11 Jun 2021 09:17:27 +0100 Mark Rogers mark@more-solutions.co.uk allegedly wrote:
[ Deletia ]
I have a couple of domains with Lets Encrypt wildcard certificates. Creating the certs manually is easy (if a bit laborious): add the specified ._acme_callenge DNS entry and a handful of files under docroot .well-known/acme-challenge. But they can't be renewed automatically so every three months I need to go through the whole process again.
[ Deletia ]
Has anyone done this, or otherwise automated wildcard certificate renewals where the DNS isn't in a supported provider?
Mark
I'm not sure if this will help you because my use case is slightly different, but I do use certbot to generate (and keep up to date) my letsencrypt certificates. (See https://baldric.net)
As you will see, I use a single cert to cover multiple domains (and subdomains, but no wild cards).
My initial certificate creation took the form:
"certbot certonly --webroot -w /home/letsencrypt -d pump.rlogin.net -d rlogin.net -d www.rlogin.net -d 2e100.net -d www.2e100.net -d baldric.net -d www.baldric.net -d rfc-821.net -d www.rfc-821.net"
I do something similar to get a standalone cert on my mailserver to cover the mail domains:
"certbot -n --agree-tos --email admin@rlogin.net --standalone certonly -d mail.rlogin.net -d smtp.rlogin.net -d tap.rlogin.net"
The point here is that certbot thereafter autorenews 30 days before expiry. So on my webserver the SSL configuration points to the privkey, cert and fullchain pem files via symlinks to the files in the letsencrypt directory. I simply run a cron job to restart lighttpd so that it catches the certificate renewal.
My mailserver setup is slightly more complex because I need to run a webserver there for postfix admin. The certbot standalone option uses its own inbuilt webserver so to avoid conflict I run my own servers on non-standard ports. Here again though, my dovecot and postfix configurations simply point to the fullchain amd privkey pem files in the letsencrypt directory.
My point in going over this is that you /could/ do something similar if you do not really need to use wildcards in your certificates. For example, if you need certs for www.example.com, example.com, support.example.com, accounts.example.com and so on, then you could use the certbot webroot method to get a single cert covering all of them. Of course your web config must then include .well-known subdirectories for each subdomain, but I find that acceptable and manageable.
HTH
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------