Skip to content

Hetzner w/ TransIP DNS & LE Wildcard

By Jasper Frumau

A Let’s Encrypt Wildcard Certificate requires DNS verification. Ploi does not offer TransIP as DNS provider for the generation of LE SSL wildcards. Installing TransIP Certbot Plugin is possible using pip install certbot-dns-transip , but does not work together with snap installed Certbot. And latter is setup done with Ploi. So in the end I had to install Docker with 

sudo apt install docker.io
sudo systemctl enable docker
sudo systemctl start docker
sudo usermod -aG docker $USER

and run

docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n \
    -d '*.site.com' -d 'site.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@site.com \
    --agree-tos \
    --eff-email

Did have to run command twice for some reason as first round there was an error about registration of email address.

The .ini file /etc/letsencrypt/transip.ini has:

dns_transip_username = id  # Your TransIP login username
dns_transip_key_file = /etc/letsencrypt/transip_private_key.pem  # Path to the private key file

And you have to chmod +x that file and chmod 600 it also. It is owned or should be owned by root

For a renewal shell script we now have

#!/bin/bash

# Run the Docker command to renew certificates
docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n \
    -d '*.domain.com' -d 'domain.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@domain.com \
    --agree-tos \
    --eff-email >> $LOG_FILE 2>&1

And in visudo I added

ploi ALL = NOPASSWD: /bin/systemctl reload nginx

I added these cronjobs:

0 4 * * * /usr/local/bin/certbot-renew-transip.sh >> /var/log/letsencrypt/renew.log 2>&1

via user ploi and 

0 5 * * * systemctl reload nginx

also run via user ploi. And then last, but not least I updated visudo using `sudo visudo and added

ploi ALL = NOPASSWD: /bin/systemctl reload nginx