Switching to wildcard certificates for certbot with Porkbun
Over the weekend there was a HN thread discussing about Certificate Transparency logs, which prompted me to toot this:
While switching to wildcard certificates doesn’t really hide your subdomains, it helps to some degree, so I decided to switch my certs to wildcards.
Wildcard certs requires dns challenge from certbot. There are some dns plugins for certbot that’s packaged with most distros (including Debian) but those does not include Porkbun, my choice of dns provider. There’s a third party python porkbun dns plugin recommended by the official doc, but since that is not packaged by Debian, you have to use sudo pip3 install to install it to be able to be recognized by certbot installed via Debian, and Debian has some huge warning against using sudo pip3 install.
Since I already wrote some go code with Porkbun API, and certbot provided good documentation on how to do dns challenges “manually”, I decided to write another go code to do this instead. So that I can have a single statically compiled go binary, with up/down scripts, that can be put on any machine running certbot to handle the task.
The code is at Github repo here, I just put the compiled binary (certbot-dns-porkbun) with the 2 scripts (authenticator.sh and cleanup.sh) into the same directory (I just put them under /etc/letsencrypt/porkbun), then run this to get wildcard certs:
sudo certbot certonly \
-n \
--agree-tos \
--manual \
--preferred-challenges=dns \
--manual-auth-hook /etc/letsencrypt/porkbun/authenticator.sh \
--manual-cleanup-hook /etc/letsencrypt/porkbun/cleanup.sh \
-d yuxuan.org \
-d *.yuxuan.org
Note that in order to auto restart/reload your http server after renewal (in order to pick up the updated certs), you need a deploy hook. I just put a script under /etc/letsencrypt/renewal-hooks/deploy/ to reload nginx:
$ cat /etc/letsencrypt/renewal-hooks/deploy/nginx.sh
#!/bin/sh
exec systemctl reload nginx