Certbot and DNS with BIND and Windows

wiki.TerraBase.info
Revision as of 21:50, 1 August 2025 by Root (talk | contribs)
Jump to navigation Jump to search

What a blessed hassle it is. Here's what needs to be done.


The below script, when run;

Big ASH Gotcha!

If you use the preconfigured Directory Structure Let's Encrypt / Certbot provides in /etc/letsencrypt/renewal-hooks, watch out!

When renewing a Certificate it automatically runs everything it finds in the above mentioned Directory, like for instance: /etc/letsencrypt/renewal-hooks/pre/WhatEver.sh

In the instance of the /etc/letsencrypt/renewal/WhatEverRenewalFile below (WHICH CERTBOT AUTOMATICALLY CREATES ITSELF WHEN GETTING A NEW CERTIFICATE!!!);

# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/WhatEverDomain.com
cert = /etc/letsencrypt/live/WhatEverDomain.com/cert.pem
privkey = /etc/letsencrypt/live/WhatEverDomain.com/privkey.pem
chain = /etc/letsencrypt/live/WhatEverDomain.com/chain.pem
fullchain = /etc/letsencrypt/live/WhatEverDomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = WhatEverAccountNumber
pref_challs = dns-01,
authenticator = manual
manual_auth_hook = /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh
manual_cleanup_hook = /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Guess how many times the WhatEver.sh Script in the /etc/letsencrypt/renewal-hooks/pre/ runs? Once, as one might think from the above Renewal Config File? Nope, TWICE!

Yup, that's right. Everything in the /etc/letsencrypt/renewal-hooks/pre/ will be run. Then anything listed in the Renewal Config File will be run. Woof!

LESSON LEARNED: Put hooks in a CUSTOM Directory Structure, NOT in the one provided by Let's Encrypt!

Retrieved from "https://wiki.terrabase.info/index.php?title=Certbot_and_DNS_with_BIND_and_Windows&oldid=2172"