Get started for free Log in

Knowledge base

1000 FAQs, 500 tutorials and instructional videos. Here, there are only solutions!

Knowledge baseRenew a wildcard certificate via DNS challenge
Search

Renew a wildcard certificate via DNS challenge

This guide explains how to generate and automatically renew a wildcard certificate via a DNS challenge using Certbot and the dns-infomaniak plugin.

 

1. Installation of required tools

The Infomaniak DNS plugin is not included by default. To avoid the plugin does not appear to be installed error, install certbot and its extension by following the official instructions.

Make sure to select the tab Wildcard on the Certbot website after choosing your system.

 

2. Initial manual generation

Run this command to start the first generation of the certificate:

certbot certonly --manual \
-d *.example.com \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory

 

3. DNS challenge validation (TXT Record)

To prove that you own the domain, go to your Infomaniak Manager and create the following TXT record:

  • Name: _acme-challenge
  • Value: (the one provided by the Certbot command)

 

4. Preparing the Infomaniak API

To automate the process, generate an API token with the domain scope in your management interface. This token will allow the script to automatically update your DNS.

 

5. Authentication script (infomaniak-auth.sh)

Create the file /root/infomaniak-auth.sh. This script will be called by Certbot during renewal:

#!/bin/bash
# API Token for Infomaniak
INFOMANIAK_API_TOKEN="YOUR_API_TOKEN_HERE"
# Update DNS record via Infomaniak API plugin
/usr/bin/certbot \
  --authenticator dns-infomaniak \
  --server https://acme-v02.api.letsencrypt.org/directory \
  -d "$CERTBOT_DOMAIN" \
  --agree-tos

Make the script executable:

chmod +x /root/infomaniak-auth.sh

 

6. Cleanup script (infomaniak-clean.sh)

Create the file /root/infomaniak-clean.sh to finalize the procedure:

#!/bin/bash
# Optional: Cleanup operations after challenge
exit 0

Make the script executable:

chmod +x /root/infomaniak-clean.sh

 

7. Automatic renewal configuration

Edit or create the following configuration file: /etc/letsencrypt/renewal/example.com.conf.

cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
[renewalparams]
authenticator = manual
manual_auth_hook = /root/infomaniak-auth.sh
manual_cleanup_hook = /root/infomaniak-clean.sh
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = dns-01
account = YOUR_ACCOUNT_ID
key_type = rsa

 

8. Testing and Automation (Cron)

Before automating, verify that everything works correctly with a simulation:

certbot renew --dry-run

If the test is successful, add this Cron task to check renewal every X days:

0 0 */30 * * /usr/bin/certbot renew --quiet --config /etc/letsencrypt/renewal/example.com.conf

Modify 30 days above according to the desired frequency. The cron will automatically use:

  • the file domain.tld.conf
  • the authentication script infomaniak-auth.sh
  • the plugin dns-infomaniak

Link to this FAQ:

https://faq.infomaniak.com/1708

Has this FAQ been helpful?