Setting up wildcard ssl certificates from Let’s Encrypt in Debian 8 Jessie using PowerDNS verification

This is a very rough guide on how it can be done on an old Debian release, like Jessie (debian 8). There might be something missing, or it might break some stuff for you.
Please read everything before starting, you might not wanna do some things or they might not be ok for a production server.

Why it doesn’t work by default:

  • The Debian package for certbot in Jessie does not support acme v2 or wildcard certificates
  • standard certificates can be validated using any available webserver, but wildcard certificates requires DNS validation – certbot requires some plugins for this
  • cerbot-auto can be installed instead BUT it does not support plugins (as of november 2018) so you can’t automate the verification part

Let’s fix everything!

Update certbot
You can install a newer certbot package using the stretch-backports repository. Even if you have Debian Jessie it shouldn’t be a problem, we’re only installing a few packages.
Open the file “/etc/apt/sources.list” and add “deb stretch-backports main” at the end.
Run “apt-get update” to fetch the package list.
Run “apt-get install certbot -t stretch-backports”, it should install version 0.25, it’s not the latest, but it supports wildcard certificates!

Update PowerDNS
Debian Jessie comes with PowerDNS v3.4, we need to upgrade to at least v4 other the plugin installed before it’s not gonna work. The API is not fully supported until v4.
I’m using here the Debian Stretch repository, I have the following new lines in /etc/apt/sources.list:

deb stretch main contrib non-free
deb stretch-updates main contrib non-free
deb stretch/updates main contrib non-free

Make sure you run “apt-get update” when modifying the sources.list file.
Note: check what files do you have under “/etc/powerdns/pdns.d” and why there are for.

Install the newer PowerDNS server using “apt-get install pdns-server pdns-backend-mysql -t stretch”. If you’re not using the powerdns mysql backend, you should replace that package with the one you are using.
I had some small problems after this update, the PowerDNS server would not start correctly, I had to check the “/etc/powerdns/pdns.d” directory and remove/move some extra files (use the note from before).

Install python3 package manager
certbot 0.25 uses Python3, you need to install the python3 package manager, but the version from Debian Stretch.
Run “apt-get install python3-pip -t stretch”

Install PowerDNS plugin for certbot
more info available here >
Use the following command to install it “pip3 install certbot-pdns”
Do not use pip2 as described in its documentation, that’s not gonna work for the certbot version we’re using.
Put the config file in the right directory using “cp /usr/local/etc/letsencrypt/certbot-pdns.json /etc/letsencrypt/certbot-pdns.json”

Configure PowerDNS plugin
Edit “/etc/powerdns/pdns.conf” and add the following lines:


(replace RANDOMKEY with some random letters and numbers)
Restart the PowerDNS server.

Edit “/etc/letsencrypt/certbot-pdns.json”, make sure api-key is your RANDOMKEY, base-url should be “”, and change axfr-time to 20 (just in case you have secondary dns servers mirroring this).

Running certbot
I have used the following command:
certbot --text --server --authenticator certbot-pdns:auth certonly -d -d *
(repace with your doman, in both places)
(the server parameter is to switch to the v2 protocol which supports wildcard certificates, newer certbot versions have this by default)

This was the output on my server:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator certbot-pdns:auth, Installer None
Obtaining a new certificate
/usr/lib/python3/dist-packages/josepy/ CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Notifying zone
Waiting 20 seconds...
Waiting for verification...
Cleaning up challenges

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2019-02-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:

From here you can treat it as another Let’s Encrypt certificate, all the settings are saved, and when you’re running “certbot renew” it will use everything correctly.
You still need to config the new certificates all over the place, the webserver or wherever you might be using them.

Drop a comment bellow if you have any questions.


Leave a Reply

Your email address will not be published. Required fields are marked *