I created several SSL certificates for several domains using the standalone method. I am only interested in the certificates, without server integration.
They are now for renewal.
So, I ran:
certbot -d example.com --manual --preferred-challenges dns certonly
And followed the instructions for each domain (adding the required DNS entry for each one). This way, I didn't have to stop the server and got my new certificates.
My (vague) understanding of it all is that there is no current way to renew certificates automatically using the DNS challenge. Or maybe you can't renew certificates automatically for the "manual" method?
Anyhow, I, wrote this script:
#!/bin/bash
for i in renewal/*;do
n=${i:8:-5};
echo $n;
# echo "\n" | certbot --text --agree-tos -d $n --manual --preferred-challenges dns --expand --renew-by-default --manual-public-ip-logging-ok certonly;
done
At this point, in the renewal
directory ALL of the domains have:
authenticator = manual
And:
pref_challs = dns-01
Questions:
-
Now… when I run "certbot renew", will it renew all of them automatically without using my script?
-
How to I actually create a new certificate using the DNS challenge to start with?
Best Answer
Updated answer (see original answer below)
In my original answer I focused on the fact that the script you provided is not required when using the
renew
command. However, I did not make sure therenew
command is actually applicable in this scenario.As cdhowie and bobpaul in the comments state:
certbot renew
is a non-interactive mode that - in conjunction with the dns challenge - requires you to provide a script via the--manual-auth-hook
parameter. Said script must be capable of setting aTXT
record. You can also provide another script to cleanup afterwards via the--manual-cleanup-hook
parameter.If you provide these parameters, the whole process will run automatically without any interaction.
If you do not provide these parameters, certbot will fail:
If you want to renew your certificates via the manual mode, you must re-run the commands you used to acquire the certificates. In this case, your script is a nice option since the
certonly
command does not look at the present certificates/configuration and instead requires you to provide the domain names either via the-d
parameter or in interactive mode.when I run "certbot renew", will it renew all of them automatically without using my script?
TL;DR: Yes, it should.
Let us have a look at the documentation of certbot:
So far, so good.
This should answer your question. Beware: Im not aware how well
certbot
can handle situations where you move the certificates to different directories.Later in the same paragraph:
So, yes;
certbot
should renew all your certificates without the help of your script.How do I actually create a new certificate using the DNS challenge to start with?
What's wrong with the command you posted at the beginning of your post?
certbot -d example.com --manual --preferred-challenges dns certonly
will acquire a certificate for example.com using the dns challenge.The steps to create a certificate are:
certbot
command you postedcertbot
commandIf you want to automate that complete process, you might want to have a look at a tool like lego which supports a couple of DNS providers.