DNS-01 challenge with certbot hooks

Client dev
1

Since I already had a self-deployed dyndns server for personal use I decided to get a cert for my home server (which is behind NAT, standard ports are not forwarded). So, I’ve written a small script to “reach out” to my DNS server and update the challenge. Find it below:

#!/bin/bash

DYNZONE="dyn.mydomain.com"

if [ -z "$CERTBOT_DOMAIN" ] || [ -z "$CERTBOT_VALIDATION" ]
then
echo "EMPTY DOMAIN OR VALIDATION"
exit -1
fi

HOST="_acme-challenge"

/usr/bin/nsupdate -k /root/scripts/Kdyn.mydomain.com.+xxx+yyyyy.private << EOM
zone ${DYNZONE}
update delete ${HOST}.${CERTBOT_DOMAIN} A
update add ${HOST}.${CERTBOT_DOMAIN} 300 TXT "${CERTBOT_VALIDATION}"
send
EOM
echo ""

Simply works by calling " certbot certonly --agree-tos --manual --preferred-challenges=dns --manual-auth-hook /root/scripts/certbot-dns-auth.sh -d home.dyn.mydomain.com"

(don’t forget to copy both key/private file to server with the update key added to BIND zone)

2 Likes
2

Although I don’t use the DNS-01 challenge (yet :stuck_out_tongue:) this might be very helpful for people who do, thanks!

One small note though: how big is the chance the character sequence EOM would be part of the challenge validation string? If it somehow would be in there by chance, it would mess up your here doc, correct?

I’m sure it’s a very small chance, but is it something to consider to expand it to something really unlikely?

3

The sequence that closes a heredoc is only valid if it follows a newline. It wouldn’t trigger if it was in $CERTBOT_VALIDATION.

1 Like
4

Nice, good to know! 

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.