Skip to content

Instantly share code, notes, and snippets.

@padeoe

padeoe/README_wildcard_ssl_renew_letsencrypt_name_com.md

Last active April 3, 2023 10:06
Show Gist options
  • Save padeoe/29919061214184f9534ca08d0a967030 to your computer and use it in GitHub Desktop.
Save padeoe/29919061214184f9534ca08d0a967030 to your computer and use it in GitHub Desktop.
Download ZIP
[Script]Renew letsencrypt wildcard ssl cert for domain on name.com
Raw
README_wildcard_ssl_renew_letsencrypt_name_com.md

[Script] Auto-Renew Wildcard Letsencrypt Certs for name.com

This tutorial can Auto-Renew wildcard letsencrypt certs for domain on name.com.

Wildcard certificates issued by letsencrypt.org need DNS TXT record to challenge, we can add TXT record manually when you apply the cert. If we want to automate it, we need to write a script that use the API of DNS provider to add TXT record. certbot has provided command argument --manual-auth-hook to pass the script.

Step 1: Get a API token

Get your own api token provided by name.com: https://www.name.com/account/settings/api.

ATTENTION

  • get username and token from PRODUCTION, not DEVELOPMENT/TEST ENVIRONMENT
  • WHITELIST your server's IP, it's the server you apply the cert.

Step 2: Install Certbot

Make sure you installed certbot before

sudo apt-get install certbot

Step 3: Prepare scipts

Download the following scripts from below.

  • auth.sh: a script to add txt record
  • clean.sh: a script to clean txt record when the renew finished
  • renew.sh: call certbot to renew cert

then add execute permission to scripts:

sudo chmod a+x auth.sh clean.sh renew.sh

Step 4: Create a Cron Job

crontab -e

add this to the last line, replacing /path/to/renew.sh, YOUR_DOMAIN_COM, DOMAIN_TO_GET_CERT(same as YOUR_DOMAIN_COM or subdomain of YOUR_DOMAIN_COM), USERNAME, TOKEN, with YOURS.

@monthly /path/to/renew.sh YOUR_DOMAIN_COM DOMAIN_TO_GET_CERT USERNAME TOKEN
Raw
auth.sh
# construct _acme-challenge.xxx host name
validate_record_host=`echo $YOUR_DOMAIN_COM $DOMAIN_TO_GET_CERT| python3 -c "import sys; domain, domain_to_get_cert = sys.stdin.read().split(); print('.'.join(['_acme-challenge', domain_to_get_cert.replace(domain, '').rstrip('.')]).rstrip('.'))"`
# create new dns record
curl -u "$USERNAME:$TOKEN" "https://api.name.com/v4/domains/$YOUR_DOMAIN_COM/records" -X POST --data '{"host":"'$validate_record_host'","type":"TXT","answer":"'$CERTBOT_VALIDATION'","ttl":300}'
sleep 30
Raw
clean.sh
# delete old dns record
ids=`curl -u "$USERNAME:$TOKEN" "https://api.name.com/v4/domains/$YOUR_DOMAIN_COM/records" | python3 -c "import json, sys, os; print(' '.join((map(lambda record: str(record.get('id')), filter(lambda record: record.get('host') == '_acme-challenge', json.load(sys.stdin)['records'])))))"`
for id in $ids
do
curl -u "$USERNAME:$TOKEN" "https://api.name.com/v4/domains/$YOUR_DOMAIN_COM/records/$id" -X DELETE
done
Raw
renew.sh
export YOUR_DOMAIN_COM=$1
export DOMAIN_TO_GET_CERT=$2
export USERNAME=$3
export TOKEN=$4
certbot certonly \
--renew-by-default \
-d *.$DOMAIN_TO_GET_CERT \
-d $DOMAIN_TO_GET_CERT \
--preferred-challenges dns \
--manual --manual-auth-hook $(dirname "$0")/auth.sh \
--manual-cleanup-hook $(dirname "$0")/clean.sh \
--manual-public-ip-logging-ok --agree-tos \
--server https://acme-v02.api.letsencrypt.org/directory
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment