{"id":480,"date":"2023-05-17T09:59:25","date_gmt":"2023-05-17T09:59:25","guid":{"rendered":"https:\/\/kevingoedecke.com\/?p=480"},"modified":"2023-05-17T10:21:32","modified_gmt":"2023-05-17T10:21:32","slug":"how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns","status":"publish","type":"post","link":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/","title":{"rendered":"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS"},"content":{"rendered":"\n

I’ve been banging my head against the wall with this today. I wanted to setup Letsencrypt \/ Certbot to auto-generate a wildcard certificate that also auto-renews. The problem is that you manually have to set a TXT record in your DNS. If you host your DNS on the same server that is also the web server this is fairly easy and there’s plenty of guides available. The problem started when I tried to figure out how to do it with an external DNS server, in my case NameCheap.<\/p>\n\n\n\n

To generate a wildcard certificate, you will need to use the DNS-01 challenge type which is used to make sure that have access to the DNS server for your domain. As mentioned already this is verified by a DNS TXT record (in particular this TXT record looks like this: _acme-challenge.BLA.com<\/code> ).<\/p>\n\n\n\n

Here are the steps I took in order to generate an auto-renewing SSL certificate for Letsencrypt (Certbot) with an external DNS:<\/p>\n\n\n\n

Step 1: Install packages and Certbot DNS plugin<\/h2>\n\n\n\n

First, you need to install Certbot and the Certbot DNS plugin for your DNS provider. There are plugins available for all kind of DNS providers (Cloudflare, Google DNS, AWS Route53, are just a few of the popular ones).

See:
https:\/\/certbot-dns-route53.readthedocs.io\/en\/stable\/<\/a>
https:\/\/certbot-dns-cloudflare.readthedocs.io\/en\/stable\/<\/a>
https:\/\/certbot-dns-google.readthedocs.io\/en\/stable\/<\/a>

Those plugins allow Certbot to automate the process of adding the DNS TXT record for the DNS-01 challenge. Let’s say you’re using AWS Route53, you would install the Route53 plugin:

sudo apt-get install certbot python3-certbot-dns-route53<\/code>
<\/p>\n\n\n\n

Step 2: Fetch your SSL Certificate<\/h2>\n\n\n\n

Then you can run Certbot with the DNS plugin to fetch the certificate:

sudo certbot certonly --dns-route53 -d \"*.yourdomain.com\"<\/code>

If you use a different DNS provider replace it with your plugin.<\/p>\n\n\n\n

Step 3: Where to find your SSL Certificate<\/h2>\n\n\n\n

Certbot then automatically adds adds the TXT records and validates the domain. Once it’s done, your wildcard certificate will be stored in here:

\/etc\/letsencrypt\/live\/BLA.com-0001\/<\/code><\/p>\n\n\n\n

Important: If you’ve already have generated a certificate for the base domain (e.g. bla.com) then the certificate will be in the directory with -0001<\/code> at the end.<\/p>\n\n\n\n

You now have to update your Nginx config to use the correct certificate. For example this could be in your Nginx vhost file

Path might be something like this:

\/etc\/nginx\/sites-available\/all.bla.com.conf<\/code><\/p>\n\n\n\n

ssl_certificate \/etc\/letsencrypt\/live\/bla.com-0001\/fullchain.pem; # managed by Certbot\nssl_certificate_key \/etc\/letsencrypt\/live\/bla.com-0001\/privkey.pem; # managed by Certbot<\/code><\/pre>\n\n\n\n
Step 4: Auto-renewal with Cronjob<\/h2>\n\n\n\n
The beauty of this is that Certbot will automatically setup a cron job to renew the certificates before they expire. There’s a small helpful command to do a test run for this though: 

sudo certbot renew --dry-run<\/code><\/p>\n\n\n\n
That’s really it, hope this helps you guys \ud83d\ude80<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve been banging my head against the wall with this today. I wanted to setup Letsencrypt \/ Certbot to auto-generate a wildcard certificate that also auto-renews. The problem is that you manually have to set a TXT record in your DNS. If you host your DNS on the same server that is also the web […]<\/p>\n","protected":false},"author":1,"featured_media":486,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[25],"tags":[],"class_list":["post-480","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"yoast_head":"\nHow to use certbot to generate a wildcard certificate that also auto-renews with an external DNS - Kevin Goedecke<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS - Kevin Goedecke\" \/>\n<meta property=\"og:description\" content=\"I’ve been banging my head against the wall with this today. I wanted to setup Letsencrypt \/ Certbot to auto-generate a wildcard certificate that also auto-renews. The problem is that you manually have to set a TXT record in your DNS. If you host your DNS on the same server that is also the web […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/\" \/>\n<meta property=\"og:site_name\" content=\"Kevin Goedecke\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-17T09:59:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-17T10:21:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate-1024x512.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kevin Goedecke\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kevin Goedecke\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/\",\"url\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/\",\"name\":\"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS - Kevin Goedecke\",\"isPartOf\":{\"@id\":\"https:\/\/kevingoedecke.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png\",\"datePublished\":\"2023-05-17T09:59:25+00:00\",\"dateModified\":\"2023-05-17T10:21:32+00:00\",\"author\":{\"@id\":\"https:\/\/kevingoedecke.com\/#\/schema\/person\/4b156cd6453e1af4bab9076b0a663871\"},\"breadcrumb\":{\"@id\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#primaryimage\",\"url\":\"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png\",\"contentUrl\":\"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png\",\"width\":3600,\"height\":1800},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/kevingoedecke.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kevingoedecke.com\/#website\",\"url\":\"https:\/\/kevingoedecke.com\/\",\"name\":\"Kevin Goedecke\",\"description\":\"Founder. Entrepreneur.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kevingoedecke.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/kevingoedecke.com\/#\/schema\/person\/4b156cd6453e1af4bab9076b0a663871\",\"name\":\"Kevin Goedecke\",\"url\":\"https:\/\/kevingoedecke.com\/blog\/author\/kgoedecke\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS - Kevin Goedecke","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/","og_locale":"en_US","og_type":"article","og_title":"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS - Kevin Goedecke","og_description":"I’ve been banging my head against the wall with this today. I wanted to setup Letsencrypt \/ Certbot to auto-generate a wildcard certificate that also auto-renews. The problem is that you manually have to set a TXT record in your DNS. If you host your DNS on the same server that is also the web […]","og_url":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/","og_site_name":"Kevin Goedecke","article_published_time":"2023-05-17T09:59:25+00:00","article_modified_time":"2023-05-17T10:21:32+00:00","og_image":[{"width":1024,"height":512,"url":"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate-1024x512.png","type":"image\/png"}],"author":"Kevin Goedecke","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kevin Goedecke","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/","url":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/","name":"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS - Kevin Goedecke","isPartOf":{"@id":"https:\/\/kevingoedecke.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#primaryimage"},"image":{"@id":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#primaryimage"},"thumbnailUrl":"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png","datePublished":"2023-05-17T09:59:25+00:00","dateModified":"2023-05-17T10:21:32+00:00","author":{"@id":"https:\/\/kevingoedecke.com\/#\/schema\/person\/4b156cd6453e1af4bab9076b0a663871"},"breadcrumb":{"@id":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#primaryimage","url":"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png","contentUrl":"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png","width":3600,"height":1800},{"@type":"BreadcrumbList","@id":"https:\/\/kevingoedecke.com\/blog\/2023\/05\/17\/how-to-use-certbot-to-generate-a-wildcard-certificate-that-also-auto-renews-with-an-external-dns\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/kevingoedecke.com\/"},{"@type":"ListItem","position":2,"name":"How to use certbot to generate a wildcard certificate that also auto-renews with an external DNS"}]},{"@type":"WebSite","@id":"https:\/\/kevingoedecke.com\/#website","url":"https:\/\/kevingoedecke.com\/","name":"Kevin Goedecke","description":"Founder. Entrepreneur.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kevingoedecke.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/kevingoedecke.com\/#\/schema\/person\/4b156cd6453e1af4bab9076b0a663871","name":"Kevin Goedecke","url":"https:\/\/kevingoedecke.com\/blog\/author\/kgoedecke\/"}]}},"jetpack_featured_media_url":"https:\/\/kevingoedecke.com\/blog\/wp-content\/uploads\/2023\/05\/letsencrypt-wildcard-certificate.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/posts\/480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/comments?post=480"}],"version-history":[{"count":3,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/posts\/480\/revisions"}],"predecessor-version":[{"id":485,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/posts\/480\/revisions\/485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/media\/486"}],"wp:attachment":[{"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/media?parent=480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/categories?post=480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kevingoedecke.com\/blog\/wp-json\/wp\/v2\/tags?post=480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}