I had some problems getting the Gandi certbot plugin to work in Debian bullseye since the documentation appears to be outdated.
When running certbot renew --dry-run, I saw the following error message:
Plugin legacy name certbot-plugin-gandi:dns may be removed in a future version. Please use dns instead.
Thanks to an issue in another DNS plugin, I was able to easily update my configuration to the new naming convention.
Setup
Get an API key from Gandi and
then put it in /etc/letsencrypt/gandi.ini:
# live dns v5 api key
dns_api_key=ABCDEF
before make it only readable by root:
chown root:root /etc/letsencrypt/gandi.ini
chmod 600 /etc/letsencrypt/gandi.ini
Then install the required package:
apt install python3-certbot-dns-gandi
Getting an initial certificate
To get an initial certificate using the Gandi plugin, simply use the following command:
certbot certonly -a dns --dns-credentials /etc/letsencrypt/gandi.ini -d example.fmarier.org
Setting up automatic renewal
If you have automatic renewals enabled,
you'll want to ensure your /etc/letsencrypt/renewal/example.fmarier.org.conf
file looks like this:
# renew_before_expiry = 30 days
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/example.fmarier.org
cert = /etc/letsencrypt/live/example.fmarier.org/cert.pem
privkey = /etc/letsencrypt/live/example.fmarier.org/privkey.pem
chain = /etc/letsencrypt/live/example.fmarier.org/chain.pem
fullchain = /etc/letsencrypt/live/example.fmarier.org/fullchain.pem
[renewalparams]
account = abcdef
authenticator = dns
server = https://acme-v02.api.letsencrypt.org/directory
dns_credentials = /etc/letsencrypt/gandi.ini
Hello, Thank you for this post which was very useful to me. I prefer this method which doesn't use pip to install dns challenge gandi plugin, just apt. I also learned in the certbot documentation that you could combine a specific challenge with a specific automatic installation. For example if we have an Nginx server configured in http:
allows you to obtain a certificate and automatically configure the server in https.