Let’s Encrypt

How to automatically renew Let’s Encrypt wildcard certificates with Certbot


IONOS API

Getting Started with the IONOS APIs

Lookup your API key


IONOS authentication hook

This hook is executed before certbot creates the DNS record.
It creates a temporary file containing a JSON payload with the DNS record data,
then uses the curl command to send a PUT request to the IONOS API to create the record.

/home/wildw1ng/bin/ionos-auth-hook

#!/bin/bash
IONOS_PUBLICPREFIX="YOUR_API_KEY"
IONOS_SECRET="YOUR_API_SECRET"


echo "{ \"data\": \"\$CERTBOT_VALIDATION\" }" > /tmp/ionos_payload.json
curl -s -X PUT -H "Content-Type: application/json" -H "Authorization: Basic \$(echo -n "$IONOS_PUBLICPREFIX:$IONOS_SECRET" | base64 -w 0)" -d @/tmp/ionos_payload.json "https://api.hosting.ionos.com/dns/v1/zones/\$CERTBOT_DOMAIN." -o /dev/null

chmod +x /home/wildw1ng/bin/ionos-auth-hook

IONOS cleanup hook

This hook is executed after certbot removes the DNS record.
It creates a temporary file containing a JSON payload with the DNS record data,
then uses the curl command to send a DELETE request to the IONOS API to delete the record.

/home/wildw1ng/bin/ionos-cleanup-hook

#!/bin/bash
IONOS_PUBLICPREFIX="YOUR_API_KEY"
IONOS_SECRET="YOUR_API_SECRET"

echo "{ \"data\": \"\$CERTBOT_VALIDATION\" }" > /tmp/ionos_payload.json
curl -s -X DELETE -H "Content-Type: application/json" -H "Authorization: Basic \$(echo -n "$IONOS_PUBLICPREFIX:$IONOS_SECRET" | base64 -w 0)" -d @/tmp/ionos_payload.json "https://api.hosting.ionos.com/dns/v1/zones/\$CERTBOT_DOMAIN." -o /dev/null

chmod +x /home/wildw1ng/bin/ionos-cleanup-hook

Note

Make sure to replace YOUR_API_KEY and YOUR_API_SECRET with your actual IONOS API credentials.


Renew Let’s Encrypt certificates with Certbot

/home/wildw1ng/bin/wildcard-renewal

#!/bin/bash
# Domain to renew
DOMAIN="wildw1ng.com"

# Check if certbot is installed
if ! command -v certbot &> /dev/null
then
    echo "Certbot could not be found. Please install it first."
    exit
fi

# Renew wildcard certificate
sudo certbot certonly \
    --non-interactive \
    --no-eff-email \
    --agree-tos \
    --staple-ocsp \
    --manual \
    --preferred-challenges=dns \
    --manual-auth-hook /home/wildw1ng/bin/ionos-auth-hook \
    --manual-cleanup-hook /home/wildw1ng/bin/ionos-cleanup-hook \
    -d "$DOMAIN" \
    -d "*.$DOMAIN" \
    -d "*.cozy.$DOMAIN"

chmod +x /home/wildw1ng/bin/wildcard-renewal

Service and timer for automatic renewal

/etc/systemd/system/certbot.service

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/home/wildw1ng/bin/wildcard-renewal


/etc/systemd/system/certbot.timer

[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

Enable renewal service

systemctl enable certbot.timer