I had some problems getting the Gandi certbot plugin to work in Debian bullseye since the documentation appears to be outdated.
When running certbot renew --dry-run
, I saw the following error message:
Plugin legacy name certbot-plugin-gandi:dns may be removed in a future version. Please use dns instead.
Thanks to an issue in another DNS plugin, I was able to easily update my configuration to the new naming convention.
Setup
The plugin we use here relies on Gandi's LiveDNS API and so you'll have to first migrate your domain to LiveDNS if you aren't already using it for your domain.
Start by getting a Developer Access API key from Gandi
and then put it in /etc/letsencrypt/gandi.ini
:
# live dns v5 api key
dns_gandi_api_key=ABCDEF
before make it only readable by root
:
chown root:root /etc/letsencrypt/gandi.ini
chmod 600 /etc/letsencrypt/gandi.ini
Then install the required package:
apt install python3-certbot-dns-gandi
Getting an initial certificate
To get an initial certificate using the Gandi plugin, simply use the following command:
certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini -d example.fmarier.org
Setting up automatic renewal
If you have automatic renewals enabled,
you'll want to ensure your /etc/letsencrypt/renewal/example.fmarier.org.conf
file looks like this:
# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/example.fmarier.org
cert = /etc/letsencrypt/live/example.fmarier.org/cert.pem
privkey = /etc/letsencrypt/live/example.fmarier.org/privkey.pem
chain = /etc/letsencrypt/live/example.fmarier.org/chain.pem
fullchain = /etc/letsencrypt/live/example.fmarier.org/fullchain.pem
[renewalparams]
account = abcdef
authenticator = dns-gandi
server = https://acme-v02.api.letsencrypt.org/directory
dns_gandi_credentials = /etc/letsencrypt/gandi.ini
Hello, Thank you for this post which was very useful to me. I prefer this method which doesn't use pip to install dns challenge gandi plugin, just apt. I also learned in the certbot documentation that you could combine a specific challenge with a specific automatic installation. For example if we have an Nginx server configured in http:
allows you to obtain a certificate and automatically configure the server in https.