1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Renew a wildcard certificate via DNS challenge
This guide explains how to generate and then automatically renew a wildcard certificate via DNS challenge using Certbot and the dns-infomaniak plugin.
1. Installing the Infomaniak DNS plugin
DNS plugins are not installed by default with Certbot. To correctly install certbot and the dns-infomaniak plugin, to avoid a possible error The requested dns-infomaniak plugin does not appear to be installed, refer to the official Certbot instructions and choose the correct Software → System and then consult the Wildcard tab.
2. Generate the wildcard certificate
From a Terminal, run the following Certbot command to manually generate the certificate:
certbot certonly --manual \
-d *.domain.tld \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory3. Create the TXT record
From the domain management of the Infomaniak Manager, create the requested TXT record for _acme_challenge.domain.tld.
4. Create the renewal configuration file
From a Terminal, create or edit the file: /etc/letsencrypt/renewal/domain.tld.conf. Example of recommended configuration:
cert = /etc/letsencrypt/live/domain.tld/cert.pem
privkey = /etc/letsencrypt/live/domain.tld/privkey.pem
chain = /etc/letsencrypt/live/domain.tld/chain.pem
fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem
[renewalparams]
authenticator = manual
manual_auth_hook = /root/infomaniak-auth.sh
manual_cleanup_hook = /root/infomaniak-clean.sh
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = dns-01
account = xxxxx
key_type = rsaSome errors come from files automatically generated by Certbot containing obsolete or incorrect fields (version = ..., cert-path = ..., etc.). Always recreate the renewal file following the example above.
5. Create the infomaniak-auth.sh script
From the API management of the Infomaniak Manager, create an Infomaniak API token with the domain scope, which will replace XXXXXXX in the script below.
The file indicated in your configuration must absolutely match the real name of the script. Example: if you use infomaniak-auth.sh in the configuration, do not create infomaniak-auth-domain.xyz.sh.
From a Terminal, create the file /root/infomaniak-auth.sh without trailing tabs (they cause errors in Bash) with:
#!/bin/bash
INFOMANIAK_API_TOKEN="XXXXXXX"
# Ajout de l'enregistrement TXT via le plugin DNS Infomaniak
/usr/bin/certbot \
--authenticator dns-infomaniak \
--server https://acme-v02.api.letsencrypt.org/directory \
-d "$CERTBOT_DOMAIN" \
--agree-tosThe script must be made executable:
chmod +x /root/infomaniak-auth.sh6. Create a cleanup script
Create the file /root/infomaniak-clean.sh
#!/bin/bash
# Optionnel : suppression de l'entrée DNS temporaire
exit 0The script must be made executable:
chmod +x /root/infomaniak-clean.sh7. Test the renewal
Before using a cron, always test with this command that will display any potential errors (script not found, incorrect file name, missing permissions, missing plugin, etc.):
certbot renew --dry-run8. Configure a cron task
0 0 */30 * * /usr/bin/certbot renew --quiet --config /etc/letsencrypt/renewal/domain.tld.confModify 30 days above according to the desired frequency. The cron will automatically use:
- the file
domain.tld.conf - the authentication script
infomaniak-auth.sh - the plugin
dns-infomaniak