My company is using proxy to client’s server.
So, Clients has to change their’s DNS.
But, we want to issue certificate before clients change their DNS.
So, I want to take token for dns challenge by acme-protocol.
and let clients know that token and they change their DNS.
If so, can we issue certificate?
I want to know how to take token for DNS Challenge.
The token is made by communicating Let’s Encrypt? then, Can it is valid after some minutes Let’s encrypt give token?
And, you know hook? maybe hook is used for api-communicationing DNS.
there is a rule of hook?
I’m so sorry about questioning about not only let’s encrypt.
Also, I am using letsencrypt.sh & getssl client.
Why that clients made crt file before dns-01 challenge succeed?
I don’t understand their algorithm…
Help me
You need a script to do this - in the alternate clients any of the bash / go clients can do this.
I want to know how to take token for DNS Challenge.
The token is made by communicating Let's Encrypt? then, Can it is valid after some minutes Let's encrypt give token?
In short, Let's Encrypt provides the token, which you sign with your private key, to provide the token that you place in your DNS.
And, you know hook? maybe hook is used for api-communicationing DNS.there is a rule of hook?I'm so sorry about questioning about not only let's encrypt.
I'm not sure which hook you are referring to here, the token is placed in your DNS as a text record in _acme-challenge.yourdomain.com
Also, I am using letsencrypt.sh & getssl client.
I know the basics of letsencrypt.sh, and wrote getssl client - so I can help with the latter.
yeah, I saw that you wrote getssl (so thank you for replying every my posts )
I am using dns_add_cloudflare script.
Before questioning, I want to check my knowledge is true.
After install getssl, command getssl -c hj.com
will make /root/.getssl/hj.com folder & getssl.cfg file.
then I edited /root/.getssl/hj.com/getssl.cfg like above this.
But, I don’t want to my Cloudflare’s account change dns,
I just want to take token from let’s encrypt for issuing hj.com’s certification.
If you don’t mind, can you describe this process?
really. Thx
The basic process would be …
create your own “dns_add” script … that simply prints out the token and location it needs to be placed in. The script could simply be
#!/bin/bash
echo "In the DNS, a new TXT record needs to be created for;"
echo "_acme-challenge.${1}"
echo "containing the following value"
echo "$2"
read -p "Press any key to obtain the certificate once the records have been updated..."
You would then run “getssl hj.com” or whatever the domain name is. This would communicate with LE, obtain the token, and pass it to your script.
Your script would print out the token and location, then pause
You would then manually add the token to the DNS ( or email it to your client to do, or whatever )
Once they have added the token, you continue with getssl (by just pressing return on your script ), and it will obtain the certificate from LE for you.
If the period between obtaining the token, and the client adding it to their DNS, is long, it’s probably best to modify getssl (or whichever script you are using ) to work in 2 parts. At the moment it’s designed to automate the process, so it does it all, rather than having a long manual step in the middle. It’s possible to change things to do that though.
I run getssl by typing " ./getssl hj.com"
but command line say "certificate for hj.com is still valid for more than 30 days (until Oct 22 15:58:07 2016 GMT)"
It is right?
I think I never issue hj.com certificate.
I don’t understand why it says.
I followed your suggestion.
When I run ./getssl -f hj.com, command line says
archiving old certificate file to /root/.getssl/hj.com/hj.com.crt_2016-07-16_2016-10-22
Registering account
Verify each domain
Verifing hj.com
In the DNS, a new TXT record needs to be created for;
_acme_challenge.hj.com
containing the following value
RpK9B5iavjF3urMwXHmdGRh7dIS-1tU95NOahPaJ4BY
Press any key to start obtain the certificate one the records have been updated…
And, I added text record and continue this code but
command line says
checking DNS for hj.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again
… repeat this
Consequently
I failed issuing certificate.
How can I detect DNS has been changed?
And How can I issue certificate?
Yes, you have obtained a certificate previously - it's now achived at /root/.getssl/hj.com/hj.com.crt_2016-07-16_2016-10-22
Your DNS server is not responding (which is why it fails).
Your domain states that your primary domain name server is dns6.iidns.com (or dns1 thru dns6.iidns.com ) however many of these do not respond to requests.
If I also look for the text record, I'm not getting a valid response from any of them
nslookup -type=txt _acme-challenge.hj.com dns1.iidns.com
** server can't find _acme-challenge.hj.com: NXDOMAIN
Good morning!
Uhm… hj.com is just example
So can you check fan.cbilization.com one more?
There is _acme_challenge.fan.cbilization.com
and I input the token. "CVpIwwyRM_l_E0CSV_U_qV2OrxGAh0GjKGJFRrDixxE"
I checked the dns using “dig fan.cbilization.com txt” and continued the code.
but still had this error “checking DNS for fan.cbilization.com. Attempt 27/100 gave wrong result, waiting 10 secs before checking again”
I check
dig -t txt _ acme _ challenge.fan.cbilization.com@ns-27.awsdns-03.com
writing grammar was applied arbitrarly like this this
So, Is there a difference?
The second “underscore” (_) should be a “dash” or “minus” (-) in your “dns_add” script.
#!/bin/bash
echo "In the DNS, a new TXT record needs to be created for;"
echo "_acme-challenge.${1}"
echo "containing the following value"
echo "$2"
read -p "Press any key to obtain the certificate once the records have been updated..."
If you are using AWS though, you can have the script add the record for you automatically.
)
