A Let’s Encrypt Wildcard Certificate requires DNS verification. Ploi does not offer TransIP as DNS provider for the generation of LE SSL wildcards. Installing TransIP Certbot Plugin is possible using pip install certbot-dns-transip , but does not work together with snap installed Certbot. And latter is setup done with Ploi. So in the end I had to install Docker with
sudo apt install docker.io
sudo systemctl enable docker
sudo systemctl start docker
sudo usermod -aG docker $USERand run
docker run -ti --rm \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-w /etc/letsencrypt \
hsmade/certbot-transip \
certonly -n \
-d '*.site.com' -d 'site.com' \
-a dns-transip \
--dns-transip-credentials /etc/letsencrypt/transip.ini \
--dns-transip-propagation-seconds 240 \
-m admin@site.com \
--agree-tos \
--eff-emailDid have to run command twice for some reason as first round there was an error about registration of email address.
The .ini file /etc/letsencrypt/transip.ini has:
dns_transip_username = id # Your TransIP login username
dns_transip_key_file = /etc/letsencrypt/transip_private_key.pem # Path to the private key fileAnd you have to chmod +x that file and chmod 600 it also. It is owned or should be owned by root
For a renewal shell script we now have
#!/bin/bash
# Run the Docker command to renew certificates
docker run -ti --rm \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-w /etc/letsencrypt \
hsmade/certbot-transip \
certonly -n \
-d '*.domain.com' -d 'domain.com' \
-a dns-transip \
--dns-transip-credentials /etc/letsencrypt/transip.ini \
--dns-transip-propagation-seconds 240 \
-m admin@domain.com \
--agree-tos \
--eff-email >> $LOG_FILE 2>&1And in visudo I added
ploi ALL = NOPASSWD: /bin/systemctl reload nginxI added these cronjobs:
0 4 * * * /usr/local/bin/certbot-renew-transip.sh >> /var/log/letsencrypt/renew.log 2>&1via user ploi and
0 5 * * * systemctl reload nginx also run via user ploi. And then last, but not least I updated visudo using `sudo visudo and added
ploi ALL = NOPASSWD: /bin/systemctl reload nginx
