BIND, nsupdate and acme.sh DNS authentication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

BIND, nsupdate and acme.sh DNS authentication

Brett Delmage
On Thu, 23 Jul 2020, Michael De Roover wrote:

> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.

> How they didn't already put certbot in a cron job after the first time
> is beyond me.

To get this topic back on topic for this list:

When you are creating Let's Encrypt wildcard certificates you must use a
DNS authenticiation protocol with letsencrypt. I am using the acme.sh
client which was recommended for wildcard
certificates. https://github.com/acmesh-official/acme.sh

If you are running your own nameserver you also need to enable dynamic
updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.

However I have found that getting zone dynamic updates (authentication,
specifically) working with nsupdate (which acme.sh uses) and BIND have
been a PITA. I haven't been overly impressed with the debug capabilities
to help get nsupdate working properly.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND, nsupdate and acme.sh DNS authentication

Michael De Roover
On 7/23/20 9:13 PM, Brett Delmage wrote:

> To get this topic back on topic for this list:
>
> When you are creating Let's Encrypt wildcard certificates you must use
> a DNS authenticiation protocol with letsencrypt. I am using the
> acme.sh client which was recommended for wildcard certificates.
> https://github.com/acmesh-official/acme.sh
>
> If you are running your own nameserver you also need to enable dynamic
> updates so that the acme.sh client can create TXT records during
> certificate acqusition and renewal.
>
> However I have found that getting zone dynamic updates
> (authentication, specifically) working with nsupdate (which acme.sh
> uses) and BIND have been a PITA. I haven't been overly impressed with
> the debug capabilities to help get nsupdate working properly.

Interesting, I wasn't aware of this. Looking at Manjaro's site again, I
found that their main website indeed uses a wildcard certificate while
the forum (which was affected by the certificate renewal issues if
memory serves me right) uses its own dedicated cert. Granted these
renewal issues were already a few years ago so perhaps they changed some
things here and there by now.

I had heard of Let's Encrypt's wildcard certs but never looked further
into it. Would certainly be useful though, as subdomains are an easy way
to separate services. Unfortunately bacme (which I currently use)
doesn't seem to support the DNS-based ACME challenges. I've cloned the
acme.sh repository and will look further into it.

--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users