Sandstorms (https://servizi.linux.it) requires a **special** wildcard certificate on `*.servizi.linux.it`, so, Let's Encrypt requires a special extra DNS verification step: before every renewal we **also** need to deploy a new `TXT` record in the DNS zone. ## How-to Manually Renew Run this script: ``` ssh root@servizi.linux.it /root/scripts/certbot-update-servizilinux.sh ``` This is an alias for: ``` ssh root@servizi.linux.it certbot certonly --manual -d servizi.linux.it -d *.servizi.linux.it --manual-auth-hook /root/scripts/certbot-update-servizilinux-manual-hook.sh --manual-public-ip-logging-ok ``` The script is non-interactive and runs the Let's Encrypt ACME Challenge HTTP+DNS. ## How-to Automate - [X] evaluate "modern" Free Software DNS servers with nice APIs compatible with servizi.linux.it: answer, just BIND9 is compatible. lol - [X] write a stupid script that takes a token and puts that in BIND9 (done - see https://gitpull.it/T96 ) - [X] 2026: write a stupid script in `servizi.linux.it` that runs that other stupid script for BIND9 - done: `/root/scripts/certbot-update-servizilinux.sh` - [ ] in the server `servizi.linux.it` - call this script before every expiration `/root/scripts/certbot-update-servizilinux.sh` (certbot config? crontab?) - [ ] install BIND9 in server `servizi.linux.it` - https://gitlab.com/ItalianLinuxSociety/ils-infrastructure/-/work_items/57 ### Hours invested LOL at some point there is a point of no return. - Valerio: 5 minutes every 90 days - 2020: ~1 hour - 2021: ~40 minutes - 2022: ~20 minutes - 2024: ~20 minutes - 2025: ~10 minutes - 2025 August: ~3 minutes - 2026 February: ~2 minutes - 2026 Mach: ~4 hours to automate, ~5 seconds to run the script