TL;DR: You can't automate Let's Encrypt wildcard cert renewal with a dynamic IP when using Namecheap because you have to manually whitelist your IP to access the API.
---
I spent the better part of the weekend tinkering with getting a Let's Encrypt wildcard cert for my self-hosted stuff. I just wanted to be able to use a nice .eu domain and not have browsers or devices yell at me for having a cert issued by my internal CA.
I use AdGuard Home as my DNS server and Nginx Proxy Manager (NPM from here on) as a reverse proxy. Everything is running in Docker containers on an RPi 4.
My IP is dynamic and I've been using no-ip to keep track of it, but they don't have an API which Certbot could use to create a TXT record when doing a DNS challenge.
So I went to Cloudflare since everyone and their dog seems to use them. Unfortunately, they don't offer .eu domains so I skipped this option.
I spotted Namecheap in both my router's dynamic DNS list and Nginx Proxy Manager's DNS challenge list. I've purchased a domain from them before and had no problems, so I read up a little bit on the whole thing and everything seemed cool. They have a dynamic DNS service you can activate for your domain, so you can use a ddns client to update your IP with them. I bought my domain, set up the dynamic DNS part, created a CNAME record, then went to set up Certbot through NPM. Here's where the first kicker came. You need API access to be able to have Certbot create a TXT record and verify your domain through a DNS challenge. To get API access, you need to satisfy at least one of these requirements:
- have at least 20 domains under your account;
- have at least $50 on your account balance;
- have at least $50 spent within the last 2 years.
Okay, I thought, $50 kinda stings (yay, Eastern European wages) but I can top up my account with it and forget about renewing my domain for like 10 years, so it's not that bad. I did the top-up, activated my API access and here came the second kicker: you have to manually whitelist the IP address you're accessing the API from. So in the end you still have to keep an eye on your IP and potentially whitelist another IP every ~60 days, because NPM won't be able to access the API otherwise.
Now I probably have to live with this setup for at least a year (if I want to keep my domain) or cut my losses, try to get my $50 back and move everything elsewhere, maybe Cloudlfare and a .com domain...
I realize I could've done more research before committing myself financially (the warning about the $50 part is in Certbot's Namecheap plugin's documentation), but even after reading all the docs I haven't seen the IP whitelist part mentioned anywhere, so I thought I'd warn others.
Thank you so much! Yup, I actually didn't realize I didn't have to transfer my domain to Cloudflare and I could simply use their servers. I managed to add the domain to Cloudflare, changed the DNS servers to Cloudflare's servers on Namecheap's interface and successfully got a cert from LE using my Cloudflare API key, so I think it's good now? Just need to set up a ddns client since my router's client (OpenWRT) doesn't seem to support updating Cloudflare. Also, now I need to get my $50 back...