Let's Encrypt wildcard certificates
published on Tuesday, August 21, 2018
Earlier this year, Let's Encrypt gained the ability to issue wildcard certificates (*.domain.tld). I was anticipating this eagerly, as this removes the need to manually list some 23 x 4 subdomains and update the certificate every time a new subdomain is added.
The protocol used to issue wildcard certificates requires the user to prove their control over the domain by setting a TXT record on their DNS server. certbot, the EFF's official client, has several DNS authenticator plugins that facilitate this task for major DNS provider APIs. However, none for my webhosting provider, netcup. So I went and manually added the TXT records in the web interface the first time.
netcup DNS authenticator
When the expiry date approached, I decided it was finally time for automation. Much to my delight, I discovered that netcup had just recently released a DNS API, and that there was already a python wrapper called nc_dnsapi on PyPI. With these tools writing a certbot plugin became a breeze and I have published the resulting plugin as certbot-dns-netcup on PyPI so others can make use of it.
In order to use it, you have to install it into the same environment as certbot itself. Note that if you're using certbot-auto, you're going to have a hard time. Personally, I use docker, as shown below. If you obtained certbot via the system package manager, it is as simple as:
Next, create a configuration file with your API credentials. These can be created or found in the netcup CCP. The configuration file should look like this:
Note that the certbot-dns-netcup: prefix is imposed by certbot for external plugins.
You can now instruct certbot to use the netcup authenticator by passing the following options:
It is necessary to set a relatively high waiting time, e.g. dns-netcup-propagation-seconds=900 in order to give the DNS records time to propagate.
In order to obtain an image with the certbot and the dns-netcup plugin installed, create a temporary directory and put the following Dockerfile within it:
Now, create the image as follows:
You can now run certbot using docker, e.g. assuming you have put your netcup_credentials.ini file to /var/lib/letsencrypt:
For the other upstream DNS plugins, there are ready-to-use docker images online that can be used likewise by simply replacing certbot/dns-netcup by the image of choice, e.g. certbot/dns-cloudflare and using the appropriate plugin specific options.
To put the cherry on the cake, you should add a cronjob that updates the certificate periodically once you verified the script to be working. My own setup uses a script that looks similar to this:
If the certificate was renewed, this runs a script cert-reload.sh that you can put in the same directory to e.g. restart webservers etc.:
Now simply type crontab -e and add a line as follows: