Let's Encrypt Wildcard Certs and deSEC

Posted on 2025-06-03

I use deSEC for DNS hosting (which I found via JP Mens), and it's possible to use it for generating wildcard TLS certs via Let's Encrypt.

This is being done on FreeBSD 14.2-RELEASE-p3.

First I had to install certbot, pip and the appropriate Python module:

pkg install -y py311-certbot py311-pip
pip install certbot-dns-desec

pip will warn against installing system-wide packages and I would generally agree, but this time I will go against the warning. At some point I will look into making my own custom port for the deSEC module, but today is not that day.

Next step is to log in to deSEC and create a new token. No extra permissions are required. Create a place for storing the token:

mkdir /usr/local/etc/letsencrypt/secrets
chmod 600 /usr/local/etc/letsencrypt/secrets

Save the token in /usr/local/etc/letsencrypt/secrets/domain.tld.ini:

dns_desec_token = <token>

And fix permissions:

chmod 600 /usr/local/etc/letsencrypt/secrets/domain.tld.ini

Now try and request a certificate:

certbot certonly --authenticator dns-desec --dns-desec-credentials /usr/local/etc/letsencrypt/secrets/domain.tld.ini -d "domain.tld" -d "*.domain.tld"

If you check in the deSEC interface at the same time you'll see new _acme-challenge records have been published.

The first time I did this I got an error about the new records not existing, but after re-trying the command again the certificate was created. I don't have an explanation for this, but it felt like the Let's Encrypt servers couldn't find the records the first time around.

Finally, to renew the certificate automatically this can be added to /etc/periodic.conf:

weekly_certbot_enable="YES"
weekly_certbot_post_hook="service nginx restart"     # if you're running nginx
# or
weekly_certbot_post_hook="service apache24 restart"  # if you're running apache

See /usr/local/etc/periodic/weekly/500.certbot-3.11 for some more configuration options.