certbot letencrypt wildcardcertificates alydns au

Are you worried that the letencrypt wildcard certificate cannot be automatically renewed (renewed) using the certbot tool? This tool can help!

Regardless of application or renewal, as long as it is a wildcard certificate, the applicant's domain name can only be verified using dns-01, which means that the certbot operator must manually add DNS TXT records.

If you write a Cron (such as 1 1 */1 * * root certbot-auto renew) to automatically renew the wildcard certificate, Cron cannot automatically add the TXT record, so the renew operation will fail. How to solve it?

certbot provides a hook that allows you to write a Shell script to call the DNS service provider's API interface and dynamically add TXT records, eliminating the need for manual intervention.

Among the plug-in and hook examples officially provided by certbot, there are no examples for domestic DNS servers, so I wrote such a tool, which currently supports Alibaba Cloud DNS , Tencent Cloud DNS , Huawei Cloud NDS , and GoDaddy (certbot has no official equivalent. plug-in).

Several PRs have been merged recently and have not been tested. If you have any questions, please give me feedback. Thank you!

1: Download

 $ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au

$ cd certbot-letencrypt-wildcardcertificates-alydns-au

$ chmod 0777 au.sh

2: Configuration

(1)domain.ini

If the domain.ini file does not contain your root domain name, please add it yourself.

(2) DNS API key:

What does this API key mean? Since you need to operate Alibaba Cloud DNS and Tencent Cloud DNS records through the API, you need to obtain the API key from the domain name service provider, and then configure it in the au.sh file:

• ALY_KEY and ALY_TOKEN: Alibaba Cloud API key and Secrec official application documents.
• TXY_KEY and TXY_TOKEN: Tencent Cloud API key official application documents.
• HWY_KEY and HWY_TOKEN: Huawei Cloud API key official application document
• GODADDY_KEY and GODADDY_TOKEN: GoDaddy API key official application documents.

(3) Select the operating environment

Currently, the tool supports five operating environments and scenarios, which are called through hook files and parameters:

• PHP (>4 and above versions are acceptable)
  • au.sh php aly add/clean: PHP operates Alibaba Cloud DNS and adds/clears DNS.
  • au.sh php txy add/clean: PHP operates Tencent Cloud DNS and adds/clears DNS.
  • au.sh php godaddy add/clean: PHP operates GoDaddy DNS and adds/clears DNS.
• Python (supports 2.7 and 3.7, no need for any third-party libraries)
  • au.sh python aly add/clean: Python operates Alibaba Cloud DNS and adds/clears DNS.
  • au.sh python txy add/clean: Python operates Tencent Cloud DNS and adds/clears DNS.
  • au.sh python hwy add/clean: Python operates Huawei Cloud DNS and adds/clears DNS.
  • au.sh python godaddy add/clean: Python operates GoDaddy DNS and adds/clears DNS.

Choose any hook shell (including corresponding parameters) according to your own server environment and domain name service provider. See below for specific usage.

3: Apply for a certificate

Test for errors:

 $ ./certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns --dry-run  --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

Debug: You may encounter a series of problems when operating the DNS API, such as insufficient API token permissions. If you encounter related problems, you can check /var/log/certd.log.

Important explanation: --manual-auth-hook and --manual-cleanup-hook have three parameters:

• The first one represents the language you want to choose (php/python)
• The second parameter represents your DNS vendor (aly/txy)
• The third parameter is fixed (add is used in --manual-auth-hook, and clean is used in --manual-clean-hook)

For example, if you want to choose the Python environment, you can change the --manual-auth-hook input to "/script directory/au.sh python aly add", and --manual-cleanup-hook input to "/script directory/au.sh python aly clean"

After confirming that it is correct, actually run (remove the --dry-run parameter):

 # 实际申请
$ ./certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

Parameter explanation (you don’t need to worry about it):

• certonly: Indicates that the verification mode is used, only the certificate will be obtained, and the certificate will not be configured for the web server.
• --manual: indicates plug-in
• --preferred-challenges dns: Indicates that DNS is used to verify the legitimacy of the applicant (whether it is the administrator of the domain name)
• --dry-run: Test before actually applying/renewing the certificate, highly recommended
• -d: Indicates that you need to apply for a certificate for that domain name. There can be multiple certificates.
• --manual-auth-hook: Call a hook file when executing the command
• --manual-cleanup-hook: Clear records added by DNS

If you want to apply for wildcard certificates for multiple domain names (combined into one certificate, also called SAN wildcard certificate ), just enter multiple -d parameters directly, for example:

 $ ./certbot-auto certonly  -d *.example.com -d *.example.org -d www.example.cn  --manual --preferred-challenges dns  --dry-run --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

1: Renew all certificates on the machine

 $ ./certbot-auto renew  --manual --preferred-challenges dns --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

2: Renew a certain certificate

First look at how many certificates there are on the machine:

 $ ./certbot-auto certificates

You can see many certificates, as shown in the figure:

Remember the certificate name, such as simplehttps.com, and then run the following command refresh:

 $ ./certbot-auto renew --cert-name simplehttps.com  --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

Edit the file /etc/crontab:

 #证书有效期<30天才会renew，所以crontab可以配置为1天或1周
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

If the certbot machine is the same machine that runs web services (such as nginx, apache), then after successfully renewing the certificate, you can start the corresponding web server and run the following crontab:

 # 注意只有成功renew证书，才会重新启动nginx
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --deploy-hook  "service nginx restart" --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

Note: It is only recommended to run this way on a single machine. If you want to synchronize the certificate to multiple web servers, you need another solution. Currently under development, the main purpose is to synchronize the certificate to the cluster server.

• Alibaba Cloud python version @Duke-Wu
• Tencent cloud python version @akgnah
• Huawei cloud python version @jinhucheung
• GoDaddy PHP version wlx_1990 (2019-01-11)

• You can follow the public account (Yudadanwx) to learn more about cryptography & HTTPS protocol.
• I wrote a book "HTTPS in a Simple Language: From Principles to Practice" to learn more about HTTPS. If you think this book is okay, I hope you can leave a review on Douban so that more people can understand it. Thank you very much. Douban comment address: https://book.douban.com/subject/30250772/

Official account QR code:

"An in-depth introduction to HTTPS: from principles to practice" QR code: