The Usual Tech Ramblings

Changing certbot validation plugin

I use letsencrypt for a number of SSL certificates, from websites to mail services. The easiest, and documented, way of requesting certificates is via certbot. This is a utility that makes requesting certificates easy. I won’t go into the details on how to do that, there’s plenty of guides, and even the documentation gives you some straight forward steps.

Part of the request process involves validation, just like the traditional SSL providers, which prompts for some method of validating you own the domain you’re attempting to request a certificate for. The most obvious way is a text file on a web server, another is DNS. In my case, I use DNS validation for my mail servers as they don’t run web servers. There are a number of plugins for DNS validation that will automatically push the required DNS records for you, so you don’t have to do them manually. For example, Route53 (Amazon Web Services’s DNS service) you’d do something like:

certbot certonly --dns-route53 -d

Works great, until you decide you are moving DNS providers and find the automatic updates in the background stop working. So you need to update the information. There’s 2 ways to do this; The first way is to edit the renewal configuration file in /etc/letsencrypt/renewal/ The other is via certbot itself, which validates the actual renewal is going to work. We’ll go with the latter. In my case, I moved from Route53 to Cloudflare, so the change would look like this:

certbot reconfigure --cert-name --dns-cloudflare --dns-cloudflare-credentials /path/to/credentials.ini

This runs the command as if it was the initial configuration using --dry-run and validates a successful update of DNS records. If it’s successful, you’ll get a notice that the command was successful, and the next renewal will use the new validation plugin. Now you’re all done, and using a new plugin.