Let's Encrypt wildcard certificates
published on Tuesday, August 21, 2018
Earlier this year, Let's Encrypt gained the ability to issue wildcard certificates (*.domain.tld). I was anticipating this eagerly, as this removes the need to manually list my 92 subdomains and update the certificate every time a new subdomain is added.
The protocol used to issue wildcard certificates requires the user to proof its control over the domain by setting a TXT record on their DNS server. certbot, the EFF's official client, has several DNS authenticator plugins that facilitate this task for major DNS provider APIs. However, there was at first no such plugin for my webhosting provider, netcup, so I went and manually added the TXT records in the web interface the first time.
netcup DNS authenticator
When the expiry date approached, I decided it was finally time for automation. Much to my delight, I discovered that netcup had just recently released a DNS API, and that there was already a python wrapper called nc_dnsapi on PyPI. With these tools writing a certbot plugin became a breeze, and I was able to release the first version of the certbot-dns-netcup plugin on PyPI the next day.
In order to use it, you have to install it into the same environment as certbot itself. Note that if you're using certbot-auto, you're going to have a hard time. Personally, I use docker, as shown below. If you obtained certbot via the system package manager, it is as simple as:
Next, create a configuration file with your API credentials. These can be created or found in the netcup CCP. The configuration file should look like this:
Note that the certbot-dns-netcup: prefix is imposed by certbot for external plugins. You will need to remove it from the config file and the command options in case the plugin is ever merged into certbot upstream.
You can now instruct certbot to use the netcup authenticator by passing the following options:
It is necessary to set a relatively high waiting time, e.g. dns-netcup-propagation-seconds=900 in order to give the DNS records time to propagate.
In order to obtain an image with the certbot and the dns-netcup plugin installed, create a temporary directory and put the following Dockerfile within it:
Now, create the image as follows:
You can now run certbot using docker, e.g. assuming you have put your netcup_credentials.ini file to /var/lib/letsencrypt:
For the other upstream DNS plugins, there are ready-to-use docker images online that can be used likewise by simply replacing certbot/dns-netcup by the image of choice, e.g. certbot/dns-cloudflare and using the appropriate plugin specific options.
To put the cherry on the cake, you should add a cronjob that updates the certificate periodically once you verified the script to be working. My own setup uses a script that looks similar to this:
If the certificate was renewed, this runs a script cert-reload.sh that you can put in the same directory to e.g. restart webservers etc.:
Now simply type crontab -e and add a line as follows: