This is translation of article from clsv.ru, which explains how to automate certbot's well-known, also known as HTTP challenge for wildcard certs renewal.
You'll need 4 scripts:
- Authentication script, which will write authentication file:
#!/bin/bashecho $CERTBOT_VALIDATION > /var/www/html/.well-known/$CERTBOT_TOKEN- Cleanup script, that will delete that
#!/bin/bashrm -f /var/www/html/.well-known/$CERTBOT_TOKEN- Initial cert acquiring script:
certbot certonly \ --preferred-challenges=http --manual \ --manual-auth-hook /path/to/auth.sh \ --manual-cleanup-hook /oath/to/clean.sh -d "yourhost.org,*.yourhost.org" \ --manual-public-ip-logging-ok- Renewal script itself, to put it in crontab (or /etc/cron.weekly)
certbot renew --manual-public-ip-logging-ok \ --manual-auth-hook /path/to/auth.sh \ --manual-cleanup-hook /path/to/clean.shsystemctl reload nginxDon't forget to configure your http server to serve .well-known.