A little note to self. So the certs for my sites were due for renewal, so as usual
I logged into my box and run
sudo certbot renew .. and encountered the following
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',) Attempting to renew cert (mysite.org-0001) from /etc/letsencrypt/renewal/mysite-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
So renewing a wildcard certificate is more involved that a standard certificate, from my reading, the process is almost the same as creating a new wildcard cert. There is apparently a way to automated this - more info later.
So the command that I use to re-generate wildcard certificate is:
sudo certbot certonly --manual -d *.mysite.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Running that command, a prompt will come up:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for mysite.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.mysite.org with the following value: the-value-from-the-script Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
Don’t press enter yet, now we need to go to the hosting admin and add a DNS record. My site is hosted on DigitalOcean and here is how it looks like:
When that’s done, we can hit enter, Certbot will verify that we are the owner of this domain by checking the DNS record, if all is well you will see the following:
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mysite.org-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mysite.org-0001/privkey.pem Your cert will expire on 2021-04-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
And we are done, you can refresh the site now and the SSL warning should go away. If it doesn’t you might need to restart your webserver.
Auto renew wildcard certificate
Apparently I can autorenew the certificate using cerbot DNS plugin. For my case, I could use this cerbot-dns-digitalocean.
I shall looking into that in the future, the current manual process is not that super annoying as I only needed to do this every 3 months.