Certbot - DNS Challenge Question

Jean-Christophe · June 9, 2017, 3:30pm

Hello Gentlemen,

I would like to produce SSL certificate using DNS challenge.

My ultimate goal is to use certbot (on Debian 8) to produce a PFX certificate including a CN and four SAN using the DNS challenge.

Despite all I have read in the documentation and on the forum, I can’t find out out to combine plugins and other hooks to achieve my goal.

Could some of you point me to the right direction?

Thanks a lot

Have a good day,
JC

schoen · June 9, 2017, 6:55pm

Hi @Jean-Christophe,

Certbot will obtain certificates in PEM format. Then the PEM files can be converted to PFX format afterward—not by Certbot, but by OpenSSL.

You can find examples of the conversion process by searching

https://community.letsencrypt.org/search?q=pfx%20openssl

You could choose to put these OpenSSL commands in a script and then run that script as a --post-hook.

Using the DNS challenge is another, well, challenge. It depends on how you are going to make changes to your DNS zone, which depends on how your DNS is hosted. Certbot has historically not been very strong in this area, often requiring manual scripting, but recently one of the developers has added some improved support for DNS provider APIs which makes using Certbot with the DNS challenge more convenient in some cases. Still, the way to do it depends entirely on what you have to do to update your DNS records.

Jean-Christophe · June 12, 2017, 8:18am

Hi @schoen,

Thanks a lot for this answer.
Actually, the conversion problem is the least, for the moment.
I would like to request and export an certificate using the DNS challenge, interactively. The goal is not to automate the whole process.
I plan to make the changes and add the TXT records by hand, when requested by the wizard.

Thanks again for your time,
Best regards,
JC

ahaw021 · June 12, 2017, 9:35am

Hi @Jean-Christophe

Review version 0.15.0 which now has automatic DNS handlers for some of the more popular DNS services

The command to use is openssl pkcs12 -export -out name of the .pfx file -inkey name of the private certificate key -in name of certificate -passout somepassword

I can give you a python script that looks for new certificates (outside of certbot) and creates PFX files for them.

I.e. look in

etc/live
Find New Certificates
Create PFXs
Put them somewhere

Andrei

system · July 12, 2017, 9:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.