After struggling to renew my certs for the third time in a row, hopefully these pointers should keep me on track for the next time.

  1. Namecheap does not yet support automatic wildcard renewal for the Letsencrypt/Certbot combo. Check next year.
  2. Have your Namecheap control panel open and ready.
  3. Command to renew: certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 -d *.domain.com -d domain.com
  4. You normally run this as root
  5. certbot will then, print a couple of lines that you need to add as a TXT record in the Namecheap DNS contral panel.
  6. When you do that, make sure you set the TTL of the record, to a minute, so that you can redo stuff quicker, if you mess up.
  7. When you check to see if the TXT record is set, search for the whole domain name. For e.g. _acme-challenge.domain.blah instead of just domain.blah
  8. If you’ve done all of the above, hopefully things should go smoothly and the certificate should renew.
  9. Restart Nginx and you’re done.
  10. If you have multiple machines, figure out a way to securely transfer the certs there too.
    P.S. Subscribe to my mailing list!
    Forward these posts and letters to your friends and get them to subscribe!
    P.P.S. Feed my insatiable reading habit.