This guide explains how to generate and then automatically renew a wildcard certificate via DNS challenge using Certbot and the dns-infomaniak plugin.

1. Installing the Infomaniak DNS plugin

DNS plugins are not installed by default with Certbot. To correctly install certbot and the dns-infomaniak plugin, to avoid a possible error The requested dns-infomaniak plugin does not appear to be installed, refer to the official Certbot instructions and choose the correct Software → System and then consult the Wildcard tab.

2. Generate the wildcard certificate

From a Terminal, run the following Certbot command to manually generate the certificate:

certbot certonly --manual \
-d *.domain.tld \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory

3. Create the TXT record

From the domain management of the Infomaniak Manager, create the requested TXT record for _acme_challenge.domain.tld.

4. Create the renewal configuration file

From a Terminal, create or edit the file: /etc/letsencrypt/renewal/domain.tld.conf. Example of recommended configuration:

cert = /etc/letsencrypt/live/domain.tld/cert.pem
privkey = /etc/letsencrypt/live/domain.tld/privkey.pem
chain = /etc/letsencrypt/live/domain.tld/chain.pem
fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem
[renewalparams]
authenticator = manual
manual_auth_hook = /root/infomaniak-auth.sh
manual_cleanup_hook = /root/infomaniak-clean.sh
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = dns-01
account = xxxxx
key_type = rsa

Some errors come from files automatically generated by Certbot containing obsolete or incorrect fields (version = ..., cert-path = ..., etc.). Always recreate the renewal file following the example above.

5. Create the infomaniak-auth.sh script

From the API management of the Infomaniak Manager, create an Infomaniak API token with the domain scope, which will replace XXXXXXX in the script below.

The file indicated in your configuration must absolutely match the real name of the script. Example: if you use infomaniak-auth.sh in the configuration, do not create infomaniak-auth-domain.xyz.sh.

From a Terminal, create the file /root/infomaniak-auth.sh without trailing tabs (they cause errors in Bash) with:

#!/bin/bash
INFOMANIAK_API_TOKEN="XXXXXXX"
# Ajout de l'enregistrement TXT via le plugin DNS Infomaniak
/usr/bin/certbot \
  --authenticator dns-infomaniak \
  --server https://acme-v02.api.letsencrypt.org/directory \
  -d "$CERTBOT_DOMAIN" \
  --agree-tos

The script must be made executable:

chmod +x /root/infomaniak-auth.sh

6. Create a cleanup script

Create the file /root/infomaniak-clean.sh

#!/bin/bash
# Optionnel : suppression de l'entrée DNS temporaire
exit 0

The script must be made executable:

chmod +x /root/infomaniak-clean.sh

7. Test the renewal

Before using a cron, always test with this command that will display any potential errors (script not found, incorrect file name, missing permissions, missing plugin, etc.):

certbot renew --dry-run

8. Configure a cron task

0 0 */30 * * /usr/bin/certbot renew --quiet --config /etc/letsencrypt/renewal/domain.tld.conf

Modify 30 days above according to the desired frequency. The cron will automatically use:

• the file domain.tld.conf
• the authentication script infomaniak-auth.sh
• the plugin dns-infomaniak