Let's Encrypt Wildcard Renewal Process

Let's Encrypt  is the de-facto standard for HTTPS certificate authority. However, the Let's Encrypt wildcard renewal process is not supported for automatic updates by a number of Dynamic DNS providers. In this case the following procedure may help in order to renew the wildcard certificate and to distribute it to a number of production servers.


1. Let's Encrypt "Certbot" Installation

1. Go to "Kassel" on Aragon, via OpenVPN etc.
    /etc/letsencrypt contains the following files:

    - certbot-renew.bash:
      Requests a certificate renewal.
      Guides you through the process

    - certbot-deploy.bash:
      Creates a combined PEM file for Pound
      and copies the file to the connected computers.




# -------------------------------------------
# /etc/letsencrypt/certbot-renew.bash
# -------------------------------------------

/usr/bin/certbot certonly \
    --manual \
    --preferred-challenges=dns \
    --email first.last@domain.com \
    --server https://acme-v02.api.letsencrypt.org/directory \
    --agree-tos \
    -d '*.domain.net'





# -------------------------------------------
# /etc/letsencrypt/certbot-renew.bash
# -------------------------------------------

cat /etc/letsencrypt/live/domain.net/privkey.pem /etc/letsencrypt/live/domain.net/fullchain.pem > `/bin/date +/etc/letsencrypt/pound-combined.\%Y-\%m-\%d.pem`

echo ""
echo "PEM written to /etc/letsencrypt/"
echo ""
echo "Copying PEM to root@server.domain.net:/usr/local/pound/conf/certificates/letsencrypt/"
echo ""

scp `/bin/date +/etc/letsencrypt/pound-combined.\%Y-\%m-\%d.pem` root@server.domain.net:/usr/local/pound/conf/certificates/letsencrypt/

echo ""
echo "Written"
echo ""





2. Run cerbot-renew.bash

        cd /etc/letsencrypt
      bash certbot-renew.bash

    The instructions will tell you:

        Please deploy a DNS TXT record under the name
        _acme-challenge.domain.net with the following value:



3. Update Dynu (DNS Provider) Entry

  • Login to your DNS provider (https://www.dynu.com/)
  • Go to Control Panels: https://www.dynu.com/en-US/ControlPanel/
  • Go to the project-open.net entry
  • Go to DDNS Services and click on the "pencils in glass" icon ("Manage DNS Records for hostname").
  • Go to the last page of the list (currently 105 items...)
  • Edit the "_acme-challenge.domain.net" entry and add the content of the XXX-XXX-XXX-XXX above
  • Wait for 30 seconds (cache time of the _acme TXT record)
  • Continue with Certbot
  • Certbot will finish with a message "[...] saved at: /etc/letsencrypt/live/<domain>/fullchain.pem [...]"
  • If you run Certbot multiple times, then it may save the certs in a different folder.


4. Run certbot-deploy.bash

        bash certbot-deploy.bash

    The script will announce to copy the new certificates from the folder /etc/letsencrypt/live/<domain>

        pound-combined.YYYY-MM-DD.pem and

    to several production servers.


5. Manually Install 

    For security reasons, the new certificates include a YYYY-MM-DD timestamp. Now you need to go to all production servers and in the respective path:

  • copy the xxxx-combined.YYYY-MM-DD.pem certificates to xxxx-combined.pem
  • Restart the respective Pound or NGINX


  • /etc/init.d/nginx restart
  • You can optionally copy fullchain.pem to fullchain.YYYY-MM-DD.pem and privkey.pem to privkey.YYYY-MM-DD.pem


  • certbot-deploy.bash already copies the final fullchain.pem and privkey.pem to the right folder. You just have to execute:
  • systemctl restart nginx
  • You can optionally copy fullchain.pem to fullchain.YYYY-MM-DD.pem and privkey.pem to privkey.YYYY-MM-DD.pem


  • cd /usr/local/pound/conf/certificates/letsencrypt/
  • cp pound-combined.<date>.pem pound-combined.pem
  • /etc/init.d/pound restart


  Contact Us
  Project Open Business Solutions S.L.

Calle Aprestadora 19, 12o-2a

08902 Hospitalet de Llobregat (Barcelona)


 Tel Europe: +34 609 953 751
 Tel US: +1 415 200 2465
 Mail: info@project-open.com