Can I have token for DNS challenge?


#1

hello.
I want to take token for dns challenge.

I will describe this.

My company is using proxy to client’s server.
So, Clients has to change their’s DNS.
But, we want to issue certificate before clients change their DNS.
So, I want to take token for dns challenge by acme-protocol.
and let clients know that token and they change their DNS.

  1. If so, can we issue certificate?

  2. I want to know how to take token for DNS Challenge.

  3. The token is made by communicating Let’s Encrypt? then, Can it is valid after some minutes Let’s encrypt give token?

  4. And, you know hook? maybe hook is used for api-communicationing DNS.
    there is a rule of hook?
    I’m so sorry about questioning about not only let’s encrypt.

  5. Also, I am using letsencrypt.sh & getssl client.
    Why that clients made crt file before dns-01 challenge succeed?
    I don’t understand their algorithm…
    Help me
    :cry:

Thx.


#2

I want to take token for dns challenge.

That can be done, yes.

If so, can we issue certificate?

You need a script to do this - in the alternate clients any of the bash / go clients can do this.

I want to know how to take token for DNS Challenge.
The token is made by communicating Let’s Encrypt? then, Can it is valid after some minutes Let’s encrypt give token?

In short, Let’s Encrypt provides the token, which you sign with your private key, to provide the token that you place in your DNS.

And, you know hook? maybe hook is used for api-communicationing DNS.there is a rule of hook?I’m so sorry about questioning about not only let’s encrypt.

I’m not sure which hook you are referring to here, the token is placed in your DNS as a text record in _acme-challenge.yourdomain.com

Also, I am using letsencrypt.sh & getssl client.

I know the basics of letsencrypt.sh, and wrote getssl client - so I can help with the latter.


#3

yeah, I saw that you wrote getssl (so thank you for replying every my posts :grin:)

I am using dns_add_cloudflare script.

Before questioning, I want to check my knowledge is true.

After install getssl, command getssl -c hj.com
will make /root/.getssl/hj.com folder & getssl.cfg file.
then I edited /root/.getssl/hj.com/getssl.cfg like above this.

VALIDATE_VIA_DNS="true"
DNS_ADD_COMMAND="/root/getssl/dns_scripts/dns_add_cloudflare"
DNS_DEL_COMMAND="/root/getssl/dns_scripts/dns_del_cloudflare

But, I don’t want to my Cloudflare’s account change dns,
I just want to take token from let’s encrypt for issuing hj.com’s certification.
If you don’t mind, can you describe this process?
really. Thx


#4

The basic process would be …
create your own “dns_add” script … that simply prints out the token and location it needs to be placed in. The script could simply be

#!/bin/bash

echo "In the DNS, a new TXT record needs to be created for;"
echo "_acme-challenge.${1}"
echo "containing the following value"
echo "$2"

read -p "Press any key to obtain the certificate once the records have been updated..."

You would then run “getssl hj.com” or whatever the domain name is. This would communicate with LE, obtain the token, and pass it to your script.

Your script would print out the token and location, then pause

You would then manually add the token to the DNS ( or email it to your client to do, or whatever )

Once they have added the token, you continue with getssl (by just pressing return on your script ), and it will obtain the certificate from LE for you.

If the period between obtaining the token, and the client adding it to their DNS, is long, it’s probably best to modify getssl (or whichever script you are using ) to work in 2 parts. At the moment it’s designed to automate the process, so it does it all, rather than having a long manual step in the middle. It’s possible to change things to do that though.


#5

Hello,
I still have question! :wink:

  1. I run getssl by typing " ./getssl hj.com"
    but command line say "certificate for hj.com is still valid for more than 30 days (until Oct 22 15:58:07 2016 GMT)"
    It is right?

I think I never issue hj.com certificate.
I don’t understand why it says.

  1. I followed your suggestion.
    When I run ./getssl -f hj.com, command line says

archiving old certificate file to /root/.getssl/hj.com/hj.com.crt_2016-07-16_2016-10-22
Registering account
Verify each domain
Verifing hj.com
In the DNS, a new TXT record needs to be created for;
_acme_challenge.hj.com
containing the following value
RpK9B5iavjF3urMwXHmdGRh7dIS-1tU95NOahPaJ4BY
Press any key to start obtain the certificate one the records have been updated…

And, I added text record and continue this code but
command line says

checking DNS for hj.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again
… repeat this

Consequently
I failed issuing certificate.

How can I detect DNS has been changed?
And How can I issue certificate?

Thx.


#6

Yes, you have obtained a certificate previously - it’s now achived at /root/.getssl/hj.com/hj.com.crt_2016-07-16_2016-10-22

Your DNS server is not responding (which is why it fails).

Your domain states that your primary domain name server is dns6.iidns.com (or dns1 thru dns6.iidns.com ) however many of these do not respond to requests.

If I also look for the text record, I’m not getting a valid response from any of them

nslookup -type=txt _acme-challenge.hj.com dns1.iidns.com
** server can’t find _acme-challenge.hj.com: NXDOMAIN

is the TXT entry still there ?


#7

Good morning!
Uhm… hj.com is just example :smile:
So can you check fan.cbilization.com one more?
There is _acme_challenge.fan.cbilization.com
and I input the token. "CVpIwwyRM_l_E0CSV_U_qV2OrxGAh0GjKGJFRrDixxE"
I checked the dns using “dig fan.cbilization.com txt” and continued the code.
but still had this error “checking DNS for fan.cbilization.com. Attempt 27/100 gave wrong result, waiting 10 secs before checking again”

thx.


#8

In the case of fan.cbilization.com one of your primary nameservers is ns-27.awsdns-03.com

Asking that primary name server for the txt entries in the DNS gives no result.

$ nslookup -type=txt fan.cbilization.com ns-27.awsdns-03.com
Server:		ns-27.awsdns-03.com
Address:	205.251.192.27#53

*** Can't find fan.cbilization.com: No answer

Have you added the token as a txt record to your DNS ?


#9

Yes!
I added token as a txt record in aws route 53 server.

root@server :~# dig _acme_challenge.fan.cbilization.com. txt
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.45.amzn1 <<>> _acme_challenge.fan.cbilization.com. txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme_challenge.fan.cbilization.com. IN TXT

;; ANSWER SECTION:
_acme_challenge.fan.cbilization.com. 300 IN TXT “CVpIwwyRM_l_E0CSV_U_qV2OrxGAh0GjKGJFRrDixxE”

;; Query time: 34 msec
;; SERVER: 50.0.0.2#53(50.0.0.2)
;; WHEN: Tue Aug 16 07:38:10 2016
;; MSG SIZE rcvd: 109

Isn’t it right?


#10

Let’s Encrypt will specifically check your primary DNS - not just a random server, google or whatever. So you need to check your primary DNS

With dig, this would be

dig -t txt domain.com @primary_nameserver

where domain.com is your domain, and primary_nameserver is your primary DNS server eg

dig -t txt fan.cbilization.com @ns-27.awsdns-03.com

You could also use nslookup

nslookup -type=txt fan.cbilization.com ns-27.awsdns-03.com

It also looks as if you have an underscore missing from your text record _acmechallenge


#11

oh thx for your detailed answer.
So then, how can I set text record _acmechallenge to my primary DNS server?
Is there any way to do that?

Thx. :smile:

ps. Can you describe the difference between authoritative dns & primary dns?
I am very confused about that :joy:


#12

These are the same thing.

in AWS - see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/dns-txt-records.html


#13

When I test code

dig -t txt _acme_challenge.fan.cbilization.com @ns-27.awsdns-03.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.45.amzn1 <<>> -t txt _acme_challenge.fan.cbilization.com @ns-27.awsdns-03.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2118
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_acme_challenge.fan.cbilization.com. IN TXT

;; ANSWER SECTION:
_acme_challenge.fan.cbilization.com. 300 IN TXT “CVpIwwyRM_l_E0CSV_U_qV2OrxGAh0GjKGJFRrDixxE”

;; AUTHORITY SECTION:
cbilization.com. 172800 IN NS ns-1183.awsdns-19.org.
cbilization.com. 172800 IN NS ns-1788.awsdns-31.co.uk.
cbilization.com. 172800 IN NS ns-27.awsdns-03.com.
cbilization.com. 172800 IN NS ns-657.awsdns-18.net.

;; Query time: 59 msec
;; SERVER: 205.251.192.27#53(205.251.192.27)
;; WHEN: Tue Aug 16 08:08:46 2016
;; MSG SIZE rcvd: 245
It can trace the txt record!
It isn’t right?


#14

Note the difference between

dig -t txt acmechallenge.fan.cbilization.com @ns-27.awsdns-03.com

that you have, and;

dig -t txt _acme-challenge.fan.cbilization.com @ns-27.awsdns-03.com


#15

I check
dig -t txt _ acme _ challenge.fan.cbilization.com @ns-27.awsdns-03.com
writing grammar was applied arbitrarly like this this
So, Is there a difference?


#16

Yes, there is a difference between “_” and “-”

you had

dig -t txt  _acme_challenge.fan.cbilization.com @ns-27.awsdns-03.com

not

dig -t txt  _acme-challenge.fan.cbilization.com @ns-27.awsdns-03.com

#17

I really sorry questioned same thing repeatedly …
but I can’t understand yet :joy:
When I run getssl above code appear


So I added _ acme _ challenge.fan.cbilization.com txt record to my DNS provider(aws rotue 53)
Is it right? or not?
thx.


#18

The second “underscore” (_) should be a “dash” or “minus” (-) in your “dns_add” script.

#!/bin/bash

echo "In the DNS, a new TXT record needs to be created for;"
echo "_acme-challenge.${1}"
echo "containing the following value"
echo "$2"

read -p "Press any key to obtain the certificate once the records have been updated..."

If you are using AWS though, you can have the script add the record for you automatically.


#19

ohohohoho my god
I never thought about that I’m so sorry.
When I changed the DNs _ to -
the code says above this

Maybe I get new certificate for fan.cbilization.com
Until now, so much thank you for kind and persistent answer so much thx :blush:


#20

Yes, you now have a certificate for fan.cbilization.com :slight_smile: