Renew Let’s Encrypt Certificate with DNS Challenge and Namecheap

Ong Khai Wei
3 min readSep 26, 2021

Time passed pretty quickly. The certificates generated in previous post are soon going to expire in one week time. If previous post, I am using other domain name, but the steps to renew will be the same.

The certificate is going to expire is less than a week.

Therefore it is important to renew the certificate and key and replace the old certificate and key before it expire. Let use certbot utility tool to renew.

Step 1: Renew command interactive mode

If you have original certificate generate from the same machine, then you can proceed with certbot renew command, but for this case, I would like to demonstrate if you renew from any machine that installed with certbot and I am going to do it in interactive way.

sudo certbot certonly --manual

certbot will prompt you for the domain name. Enter your domain name and it will check what type of challenge you did previously, in my case it is DNS challenge (dns-01).

certbot will prompt for domain name

As usual, certbot will ask for your permission to log your IP as part of security procedure. Enter yes to proceed

certbot will prompt to log IP address

certbot will proceed to generate the verification token to ensure you have the control over the domain name. This is where we will update _acme-challenge TXT record in DNS to reflect with the new token. We will hold first before we proceed.

New token will be generated to update _acme-challenge record in DNS

Step 2: Update DNS TXT record for _acme-challenge

This step will be relatively easy as we have done something similar in previous post. In Namecheap console, go to DOMAIN then Advanced DNS

Navigate to Advanced DNS

Add or modify _acme-challenge entry of TXT record with the token generated in previous step, click Tick to save the DNS entry.

Add or modify _acme-challenge with generated token

Step 3: Verify DNS TXT record is updated

Previous post we are using nslookup -type=TXT to verify the DNS entry, I discovered a new command dig to achieve the same.

dig -t txt _acme-challenge.DOMAIN
Verify the _acme-challenge with newly updated token

Step 4: Complete the renew

Back to certbot utility, press Enter to allow certbot to continue with the verification process.

Now 2 certificates have been generated and you can copy from letsencrypt directory.

Step 5: Update your certification in your application (optional)

I updated Red Hat OpenShift Container Platform (OCP) Route with the new certificate and now I can see the expiry date is updated to 90 days later.

Certificate is renewed with new expiry date.