We install certbot-auto, which is standalone, instead of the Debian package. This is to avoid pulling in a lot of Python packages.

Install

sudo true

mkdir /opt/certbot
cd /opt/certbot || cat >&2
curl -OL https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

sudo ./certbot-auto

Automatic renewal

sudo -i

cd /etc/cron.weekly || cat >&2
cat > certbot <<EOF
#!/bin/sh
# $SUDO_USER $(date -uIs)
#
# Check Let's Encrypt certs and renew them eventually
#
exec /opt/certbot/certbot-auto renew --noninteractive \\
# last line
EOF

chmod +x certbot

exit

Notes:

  • Add update scripts before the line marked with # last line in the form:
       --renew-hook /etc/ldap/ssl/update-certs \
    

DNS Resolution

Apparently lots of IP addresses from the Hetzner pool are blocked by the letsencrypt nameservers. We work around by resolving the intermediary nameservers manually and register them with dnscachex.

cd /etc/dnscachex/root/servers || cat >&2
dnsip $(host -t ns akamaiedge.net | cut -d " " -f 4) > akamaiedge.net

ORG_NS=`dnsq ns org a.root-servers.net|awk '/additional: .* A /{print $5;exit}'`
# Where letsencrypt.org is resolved
dnsq ns letsencrypt.org $ORG_NS

# Get akam.net nameservers
NET_NS=`dnsq ns net a.root-servers.net|awk '/additional: .* A /{print $5;exit}'`
AKAM_NS=`dnsq ns akam.net $NET_NS|awk '/additional: .* A /{print $5;exit}'`
dnsq ns letsencrypt.org $AKAM_NS|awk '/additional: .* A /{print $5}' > letsencrypt.org

LE_NS=$(head -1 letsencrypt.org)
# Where the update API server is pointed to (api.letsencrypt.org-ng.edgekey.net)
dnsq a acme-v02.api.letsencrypt.org $LE_NS

dnsq ns edgekey.net $NET_NS|awk '/additional: .* A /{print $5}' > edgekey.net

EK_NS=$(head -1 edgekey.net)
# Where the pointer is pointed to (e14990.dscx.akamaiedge.net)
dnsq a api.letsencrypt.org-ng.edgekey.net $EK_NS

dnsq ns akamaiedge.net $NET_NS|awk '/additional: .* A /{print $5}' > akamaiedge.net 

AE_NS=$(head -1 akamaiedge.net)

# Holdon, we must go for dscg.akamaiedge.net
dnsq a e14990.dscx.akamaiedge.net $AE_NS

dnsq ns dscx.akamaiedge.net $AE_NS|awk '/additional: .* A /{print $5}' > dscx.akamaiedge.net 
DAE_NS=$(head -1  dscx.akamaiedge.net)

# We got him
dnsq a e14990.dscx.akamaiedge.net $DAE_NS

# With only these workarounds
ls

sv restart dnscachex dnscache

# Let's test
dnsqr a acme-v02.api.letsencrypt.org