Automate Wildcard LetsEncrypt Certificate Requests on Hetzner Cloud

Lets create a script for automated LetsEncrypt wildcard certificate retrievement.

The workflow and scripts on this page currently works only for Hetzner domains or domains which nameservers are hosted on Hetzner.

Install Certbot and prepare config

Certbot installation

ahmet@server1:~$ apt install certbot

Clone repository

ahmet@server1:~$ git clone https://github.com/ahoz/hetzner_dns_letsencrypt_auto_wildcard.git
ahmet@server1:~$ cd hetzner_dns_letsencrypt_auto_wildcard/
ahmet@server1:~/hetzner_dns_letsencrypt_auto_wildcard/$ chmod +x hetznerdnshook.py

Move config.ini.example to config.ini and set Hetzner DNS token. You can find the token on the DNS page of Hetzner cloud, then Manage API Tokens.

Enter a token name and click on create access token.

The token will only be shown once. Copy it to your clipboard and set it in your config.ini.

Request certificate

First request

The first request requires a mail address and an approval of LetsEncrypt conditions and data protection declarations.

ahmet@server1:~/hetzner_dns_letsencrypt_auto_wildcard/$ sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook ./hetznerdnshook.py -d domain.de -d *.domain.de

Future requests

The mail address and approval is not needed for future requests.

ahmet@server1:~/hetzner_dns_letsencrypt_auto_wildcard/$ sudo certbot certonly  --manual --preferred-challenges dns --manual-auth-hook ./hetznerdnshook.py -d domain.de -d *.domain.de --agree-tos  --manual-public-ip-logging-ok

Do not forget to replace domain.de and *.domain.de with your domains.

Old ACME token removals

You can remove old ACME tokens with this script:

ahmet@server1:~/hetzner_dns_letsencrypt_auto_wildcard/$ python3 hetznerdnshook.py --delete donmain.de