I’m a big fan of Let’s Encrypt but when I recently found out about TLS Certificate Transparency Logs and how easy they made searching for otherwise unpublished subdomains, I decided that it might be a good idea to look into using wildcard TLS certificates.
A minor complication was that to validate a wildcard certificate Let’s Encrypt needs to create a TXT DNS record for your domain with a validation code. This is known as the DNS-01 challenge. I happen to use Namecheap as the registrar for most of my domains and luckily there is a Python library to access their API and automatically create this DNS record.
I’ve written a quick Python script which works as a manual authentication hook for Let’s Encrypt’s certbot and helps to automate the process of issuing / renewing a certificate using the DNS-01 challenge.
Usage:
- Obtain API credentials for Namecheap as detailed here
- Download the script and edit to add the API credentials to the appropriate variables
N.B. Bad Things could happen if these credentials become public, please take appropriate precautions to keep them secure. - To issue / renew a wildcard certificate for your domain run certbot something like this:
sudo certbot certonly \
--non-interactive \
--manual \
--manual-public-ip-logging-ok \
-d <*.domain> \
--email <email@address> \
--manual-auth-hook <path/to/the/script>
Pingback: Automatitzar la creació d’un certificat Letsencrypt wildcard – Blog de Daniel Talens