FreeBSD certbot wildcard automatic renewals with bind

As many have experienced, wildcard automatic renewals are not working. Where we used to have “certbot renew” to just take care of everything, that no longer works.

My goal then is to have it work again without touching our current cronjobs so let’s get started.

lets encrypt wildcard instructions

pkg install py37-certbot-dns-rfc2136
tsig-keygen -a HMAC-SHA512 acme-update

add contents to named.conf from above command

EXAMPLE: named.conf

key “acme-update” {
algorithm hmac-sha512;
secret “my long ass secret with double quotes”;

zone “” {
type master;
file “master/”;
update-policy {
grant “acme-update” name TXT;

pico /usr/local/etc/letsencrypt/rfc2136.ini (add the following for certbot)

dns_rfc2136_server = (PUT YOUR IP ADDRESS)
dns_rfc2136_name = acme-update
dns_rfc2136_secret = mylongasssecret
dns_rfc2136_algorithm = HMAC-SHA512

chmod 600 /usr/local/etc/letsencrypt/rfc2136.ini

certbot certonly –dns-rfc2136 –dns-rfc2136-credentials /usr/local/etc/letsencrypt/rfc2136.ini –server –email –agree-tos –no-eff-email –domain ‘’ –domain ‘*’

Congratulations, for now on your normal “certbot renew” command in your cronjob will work like it did before.