Sometimes you can't find the answer to your question on line. This is one of those examples where the answers seem plentiful but I can't get my head around them.
I have a couple of domains with Lets Encrypt wildcard certificates. Creating the certs manually is easy (if a bit laborious): add the specified ._acme_callenge DNS entry and a handful of files under docroot .well-known/acme-challenge. But they can't be renewed automatically so every three months I need to go through the whole process again.
Reading the docs, if my DNS is with one of the supported DNS providers (eg DigitalOcean, who I have an account with) then it can be automated via the API (the files under docroot I think can be automated with the --apache plugin?) but that's not where my DNS is. The docs suggest that I can use a CNAME but don't go beyond that.
Has anyone done this, or otherwise automated wildcard certificate renewals where the DNS isn't in a supported provider?
Also (probably simpler): once the certificate is created, can all the .acme-challenge files and DNS records be deleted?
On Fri, 11 Jun 2021 09:17:27 +0100 Mark Rogers mark@more-solutions.co.uk allegedly wrote:
[ Deletia ]
I have a couple of domains with Lets Encrypt wildcard certificates. Creating the certs manually is easy (if a bit laborious): add the specified ._acme_callenge DNS entry and a handful of files under docroot .well-known/acme-challenge. But they can't be renewed automatically so every three months I need to go through the whole process again.
[ Deletia ]
Has anyone done this, or otherwise automated wildcard certificate renewals where the DNS isn't in a supported provider?
Mark
I'm not sure if this will help you because my use case is slightly different, but I do use certbot to generate (and keep up to date) my letsencrypt certificates. (See https://baldric.net)
As you will see, I use a single cert to cover multiple domains (and subdomains, but no wild cards).
My initial certificate creation took the form:
"certbot certonly --webroot -w /home/letsencrypt -d pump.rlogin.net -d rlogin.net -d www.rlogin.net -d 2e100.net -d www.2e100.net -d baldric.net -d www.baldric.net -d rfc-821.net -d www.rfc-821.net"
I do something similar to get a standalone cert on my mailserver to cover the mail domains:
"certbot -n --agree-tos --email admin@rlogin.net --standalone certonly -d mail.rlogin.net -d smtp.rlogin.net -d tap.rlogin.net"
The point here is that certbot thereafter autorenews 30 days before expiry. So on my webserver the SSL configuration points to the privkey, cert and fullchain pem files via symlinks to the files in the letsencrypt directory. I simply run a cron job to restart lighttpd so that it catches the certificate renewal.
My mailserver setup is slightly more complex because I need to run a webserver there for postfix admin. The certbot standalone option uses its own inbuilt webserver so to avoid conflict I run my own servers on non-standard ports. Here again though, my dovecot and postfix configurations simply point to the fullchain amd privkey pem files in the letsencrypt directory.
My point in going over this is that you /could/ do something similar if you do not really need to use wildcards in your certificates. For example, if you need certs for www.example.com, example.com, support.example.com, accounts.example.com and so on, then you could use the certbot webroot method to get a single cert covering all of them. Of course your web config must then include .well-known subdirectories for each subdomain, but I find that acceptable and manageable.
HTH
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------
On Sun, 20 Jun 2021 at 14:26, mick mbm@rlogin.net wrote:
[ Biggus Snippus of extremely useful info, thank you]
My point in going over this is that you /could/ do something similar if you do not really need to use wildcards in your certificates.
It is certainly the wildcard issue that is the key, and I am now wondering how important it is to me.
The reason I have it is that I have a multi-site Wordpress. Each site is notionally <sitename>.<myhostname>, although most also then have their own domains on top. Using wildcards is easier than having to add each new <sitename> to the configuration, but actually that happens fairly infrequently compared with the 3mo SSL cert renewal I have to do manually now due to the wildcard.
That said, as there is a mechanism for auto-renewal via DNS using a select list of hosts with APIs, and (it seems) a way to do that via CNAMEs rather that moving the DNS of the domain itself, I would prefer to get that working. But I can't for the life of me work out how it's supposed to hang together!
Thanks for the info though, I think I need to sit down and think about how I'm doing SSL in general.
-
Mark Rogers -
mick