by Devin Yang
(This article was automatically translated.)

Published - 1 year ago ( Updated - 1 year ago )

I wrote this record of manual update first, because I think about the future and then write an automatic update article.
Only in this way can there be a comparison group, why is it called unbelievable,
As far as I know the certbot command, the current whildcard certificate cannot be automatically updated.

If we have used Let's encrypt to apply for a whildcard certificate, we will definitely find this passage after the successful application.

 NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided.
 To renew this certificate, repeat this same certbot command before the certificate's expiry date.

As mentioned in the opening, this credential will not be automatically renewed, because --manual-auth-hook has not been provided, and to renew this credential, repeat the same command before the expiration date.

Ok, but with a little trickery, you can get auto-updates to work, at least that's what I did. 😆
However, there are a few prerequisites. Your DNS needs to be a self-managed DNS or your DNS provider can provide an API to allow you to update DNS records.
The DNS update of many credential providers is very slow, it takes 12-24 hours, and the TTL cannot be adjusted too short, please pay attention to this when choosing.
Self-installed DNS will not have this problem😋

In this article, let’s first take a look at my manual application process. I use the following commands to apply and update my Whildcard certificate.

 certbot certonly --agree-tos --manual \
--preferred-challenges dns --server \
 https://acme-v02.api.letsencrypt.org/directory -d "*.demo.ccc.tc"

Full screen update history:

 certbot certonly --agree-tos --manual \
> --preferred-challenges dns --server \
> https://acme-v02.api.letsencrypt.org/directory -d "*.demo.ccc.tc"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 1.22.0 renewal configuration file found at /etc/letsencrypt/renewal/ccc.tc.conf with version 0.31.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...  
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for demo.ccc.tc

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.demo.ccc.tc with the following value:

1t3WObUV768V88P5ddULFXfn9nb9_PEqSwcibXm45Ik

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/demo.ccc.tc/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/demo.ccc.tc/privkey.pem
Your cert will expire on 2023-03-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

I used dns verification during the complete application process, so I need to update the TXT record to DNS, and then press Enter.
My DNS uses bind9, so I added the record to the text file and updated the serial number.

 $ORIGIN .
$TTL 86400 ; 1 day
demo.ccc.tc IN SOA ns1.demo.ccc.tc. devin.ccc.tc. (
2022103128 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.demo.ccc.tc.
NS ns2.demo.ccc.tc.
A 220.134.172.98
$ORIGIN demo.ccc.tc.
* A 127.0.0.1
================ Omitted in the middle ============
$TTL 60 ; 1 minute
 _acme-challenge TXT 1t3WObUV768V88P5ddULFXfn9nb9_PEqSwcibXm45Ik

Then I will execute the update script to synchronize the records to the second DNS, here I list the command

 rndc reload demo.ccc.tc

After completing the manual update, in order to ensure nothing goes wrong, I will issue the host command and specify the type as text to verify whether it can be found

 $host -t txt _acme-challenge.demo.ccc.tc
 _acme-challenge.demo.ccc.tc descriptive text "1t3WObUV768V88P5ddULFXfn9nb9_PEqSwcibXm45Ik"

Then press Enter (Press Enter to Continue) prompted in the above screen to verify.

Ok, the above is the process of manually updating my wildcard certificate, but it seems a bit troublesome to always manually update.

Before the automatically updated article is published, let me remind you of my approach.
Even if these things are not used for automatic certificate update, it is very convenient to perform other functions, so there should still be some reading value.

Tip one:
There is a command in Linux called /usr/bin/expect, he can expect what will appear on the screen, and then press the button to achieve script automation, for example:

 expect "(Y)es/(N)o:"
 send -- "Y\r"

Tip two:
When I execute the certbot command, I will use another command tee to simultaneously save the certbot execution screen (standard output) as a file, similar to this:

 certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d "*.demo.ccc.tc" |tee demo.ou

Tip three:
That is to say, during the automation process, the demo.out file will have the following content, so how do we capture the string of text in the middle? Using the awk command is super convenient.

 Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.demo.ccc.tc with the following value:

1t3WObUV768V88P5ddULFXfn9nb9_PEqSwcibXm45Ik

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Press Enter to Continue

Then let's see how my awk command is issued. Use the head and tail recognition in the screen below to easily grab the text to be added for DNS verification in the middle.

 root@ptest:/usr/local/scripts# awk '/following value:/,/Before continuing/' demo.out |tail -n3|head -n1
1t3WObUV768V88P5ddULFXfn9nb9_PEqSwcibXm45Ik
 root@ptest:/usr/local/scripts#

So I have an update bash that looks like this, that is, I throw the txt I captured to the update API I wrote to update the record

 #!/bin/bash
TEXT=$(awk '/following value:/,/Before continuing/' demo.out |tail -n3|head -n1)
echo ${TEXT}
curl -X 'GET' \
 "http://127.0.0.1:1020/acme?txt=${TEXT}&file=demo.db"

Finally, you should have thought of it, let except press Enter to verify the update.
In except, I will have the following method (not complete)

 set certbot_id $spawn_id
expect "(Y)es/(N)o:"
send -- "Y\r"
#execute another process
sleep 2
spawn ./update_demo.sh
expect eof
catch wait result
# return certbot
set spawn_id $certbot_id
sleep 5
expect "Press Enter to Continue"
#interact
send -- "\r"
 expect eof

I mostly use these things to get the automatic renewal of wildcard's certificate.

As for the API side, it's another story, and I will leave it for the next chapter.
The tool I use is python FastAPI.

I feel that this title is more sensational, because it should attract people to watch😛
In addition to sharing, I am also experimenting whether it will affect the click-through rate.

Tags: certbot letencrypt

Devin Yang

Feel free to ask me, if you don't get it.:)

No Comment

Post your comment

Login is required to leave comments

Similar Stories


ssl,certbot

Raiders docker version Let's Encrypt certificate application

This article mainly shares how I use Docker to apply for a Let's Encrypt certificate. Let's Encrypt has quite a variety of ACME Clients, I will use the official push Certbot (ACME Client) for illustration. And use docker to execute ACME Client.

config,ssl,certbot

Apache and Nginx's ACME authentication pass kill

Some people may be curious about what to do with this. Let me briefly explain my situation. The super old host cannot install HAProxy or certbo without Docker, only apache and nginx. But I need to automatically apply for and update the certificate on the host, so I let the host mount the folder on another host that can run the certbot program through NFS, so that the verification file generated by him can be directly generated on the old host /home In the /nginx/acme-challenge/.well-known/acme-challenge/ directory, the web page can be successfully verified and the certificate can be obtained. When there are a bunch of vhosts, you can all eat the same folder, instead of creating a directory for each vhost website.

ssl,haproxy,certbot

Perfect SSL certificate automatic update environment (HAProxy plus certbot)

HAProxy's reloading speed is very fast, and I don't feel that there is a restart. It is really convenient for all credentials to be handled by HAProxy. Host environment requirements, please confirm that you have the following two instructions (How to install Ubuntu? apt-get install -y haproxy cerbot, I guess, if not, please Google)