I searched a half hour for a how-to for Let’s Encrypt Wildcard certificates with automatic renewal.
All sites I’ve found just promoted the manual method, where I would have to manually add dns entries every 3 months – neeeeeever!
Then I stumbled upon acme.sh. This acme client tool for Let’s Encrypt even has plugins for the most providers who offer DNS configuration and expose an API. And there exists a plugin for my provider netcup.de
Couldn’t be better. Just set the environment variables like mentioned in the quite small how-to for the plugin. And run the command to get a new cert.
It might be a good idea to also add a bigger key size, because the default is just 2048bits.
acme.sh --issue --dns dns_netcup -d example.com -d *.example.com -k 4096
And you’re done.
Now you just have the work to point your services to the new certificates.
For me those were:
- prosody (xmpp/jabber)
Again Qualys SSL Labs and mxtoolbox were a great help in checking if everything works as expected, thanks for that guys!