Certbot: Configuration of wildcard certificate with DNS OVH challenge
In this blog, i will cover how to generate a wildcard SSL certificate for a specific domain using Certbot. I am generating certificate for test.domain.com *.domain.com
Step 1: Setup Pre-requisites
apt purge certbot
apt update && apt upgradeFirst, you need to make sure that your system have python3 installed because python2.7 causes dependency issues .
apt install python3-pip
pip3 install certbot
pip3 install certbot-dns-ovhStep 2: Setup Certbot
By default certbot stores status logs in /var/log/letsencrypt . However, in order to avoid having enormous logs, we define log rotation config file that will begin rotating logs after 6 months. Meaning that once the logs in /var/log/letsencrypt are older than 6 months, certbot will delete the oldest one to make room for new logs.
nano /etc/logrotate.d/certbot
/var/log/letsencrypt/*.log {
monthly
rotate 6
compress
delaycompress
notifempty
missingok
create 640 root adm
}Step 3: API OVH Authentification for DNS01-CHALLENGE
To receive a certificate from Let’s Encrypt certificate authority (CA), you must pass a challenge to prove you control each of the domain names that will be listed in the certificate. A challenge is one of a list of specified tasks that only someone who controls the domain should be able to accomplish.One such challenge mechanism is DNS01.
With a DNS01 challenge, you prove ownership of a domain by proving you control its DNS records. This is done by creating a TXT record with specific content that proves you have control of the domains DNS records.
The dns_ovh plugin automates the process of completing a DNS01 challenge by creating, and subsequently removing, TXT records using the OVH API. The use of this plugin requires a configuration file containing OVH API credentials for an account with the following access rules:
GET /domain/zone/*
PUT /domain/zone/*
POST /domain/zone/*
DELETE /domain/zone/*These credentials can be obtained there:
- OVH Europe (endpoint:
ovh-eu) - OVH North America (endpoint:
ovh-ca)
Step 4: Credentials
Now, let’s define .ovhapi file that contains the OVH API credentials used by Certbot
nano .ovhapi
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = xxx
dns_ovh_application_secret = xxx
dns_ovh_consumer_key = xxxchmod 600 .ovhapi
Step 5: Generate The Wildcard SSL Certificate
certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovhapi --non-interactive --agree-tos --email mon@email.fr -d test.domain.com -d *.domain.comIn order to find your created certificates, you can check /etc/letsencrypt/live
That’s it ! Now, i will cover the automation of this process using a crontab script.
Step 6: Crontab Script For Generating Wildcard SSL Certificates
Crontab is a Linux based utility for scheduling time-based jobs that run automatically at a set time or date. You can use crontab to automate and schedule tasks on your Linux machine. This is simply a file-based configuration table with lists of jobs and timings when tasks are scheduled to run.
In our case, we use crontab in order to be able to renew our certificates automatically every month.
First, let’s create a bash file named renewCerts.sh
nano /usr/local/sbin/renewCerts.sh
#!/bin/bash
domaine1=$1
domaine2=$2certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovhapi --non-interactive --agree-tos --email mon@email.fr -d '$domaine1'certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovhapi --non-interactive --agree-tos --email mon@email.fr -d '$domaine2'
chmod +x /usr/local/sbin/renewCerts.sh
Next, we are going to open the crontab configuration file for editing purposes. The file is located at /etc/crontab. Run the command below to open it:
nano /etc/crontabYou can find the basic syntax for writing cron jobs here. Now, we need just to add the following line to renew our certificates every month.
0 0 1 * * /usr/local/sbin/renewCerts.sh 'test.domain.com' '*.domain.com' > /dev/null 2>&1sudo systemctl restart cron
You can check up the date of your certificate using the command line below:
cd /etc/letsencrypt/live/test.domain.com
sudo openssl x509 -dates -noout < cert.pem
Note :
Sometimes you install packages using pip however, the executable can’t be found on the command line. In this case, you need to add this line to .bashrc and then run source .bashrc
export PATH=”$HOME/.local/bin:$PATH”References :
Welcome to certbot-dns-ovh’s documentation!
Mise en place de certificat wildcard avec Letsencrypt et OVH
