How does one generate DNS-01 challange that can be added to server DNS-records forLetsEncrypt/ SSL-verification?
With which client and with which args?
Can this be done with cerbot/letsencrypt?
Are there clients that can do the issuance and renwal automatically scripted?
Thanks for any info on this.
hi @jjaone
one adds a DNS record type TXT
that depends on the client
yes certbot can be used for dns challenges using --manual and --preferredchallenges arguments
you can review this:
there is also a python project for a DNS lexicon
you can also script your own plugins
http://letsencrypt.readthedocs.io/en/latest/contributing.html#code-components-and-layout
Thanks for the answer. Iām using letsencrypt 0.11.1 and the āāmanualā command only have these switches:
--manual-auth-hook MANUAL_AUTH_HOOK
Path or command to execute for the authentication
script (default: None)
--manual-cleanup-hook MANUAL_CLEANUP_HOOK
Path or command to execute for the cleanup script
(default: None)
--manual-public-ip-logging-ok
Automatically allows public IP logging (default: Ask)
The ācertbotā command does not seem to recognize that "āpreferredchallengesā argument but says:
> certbot: error: unrecognized arguments: --preferredchallenges dns-01
sorry for the sarcasm but a big fan of copy and paste 
http://letsencrypt.readthedocs.io/en/latest/using.html#certbot-commands
āpreferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred
challenge to use during authorization with the most
preferred challenge listed first (Eg, ādnsā or ātls-
sni-01,http,dnsā). Not all plugins support all
challenges. See
https://certbot.eff.org/docs/using.html#plugins for
details. ACME Challenges are versioned, but if you
pick āhttpā rather than āhttp-01ā, Certbot will select
the latest version automatically. (default: )
the manual even gives you the syntax 
below is how i usually do mine
also thanks heaps for posting the manual hook stuff
i been thinking about how to do something and those will be perfect
i am also guilty of not RTFMing 
Ok, found out that the correct arg is actually āāpreferred-challangesā and using a command:
`/letsencrypt-auto certonly --agree-tos --renew-by-default --manual --preferred-challenges=dns -d mydns.domain1.tld`
I was able to generate a DNS-challange:
Please deploy a DNS TXT record under the name
_acme-challenge.mydns.domain1.tld with the following value:
JHPIuUHGBkadaodaiweirfblaabvlaabadasasajqxU
which then should be added to server DNS-record as a TXT record, with a very shor TTL.
nice one! let me know how you go with the hook stuff
Yes, you would have seen that information when you would have run certbot --help manual 
But as it's not specific for just the manual plugin, you would have found it in the "optional arguments" in that same output. Just don't blindly stare at the part after "manual:" 
I had run --manual and several help commands and read the docs of those letsencypt-auto/certbot-auto (old) clients that were installed in our hosts (after I got this task to make SSL-certs to our servers that were moved behind NAT-firewalls three days ago) and they did not have anything about DNS-veriification, also the advice given by @ahaw01 who actully answered this question had it written in incorrect format, which I actually corrected after finding out the arg/options that should be used.
Of course many things could have been searched and could have been done, but after having done a lot of search and experiments with those clients that we had and reading about in these forums that documentation is somwehat sparse on how to use DNS-based verification I decided to asked. And I was actully given an anwer that lead me to correct path and now we have the solution which you can see above.
Instead of you @Osiris OT commenting/complaining about how we found out the commands, you could have provided the correct format and arguments as an answer to the Q that was asked, which was more about the defails of the whole procedure to achieve DNS-based verificatiion of SSL:s with LetsEncrypt of which the generation of the challenge with any of the appropriate clients is just one part.
Just don't *blindly stare *at the words written here but try to understand why and for what they are written
Yes thank you for your command examples, they were were helpful foo.
I'm now experimenting with different solutions to automatice this DNS-based challenge generation and verification and renewal process, cause we are still in testing phase and the DNS-records management polices are not exactly clear yet, so IƤn not sure if there will be any APIs available for us to automate thist.
But there seems to be many Python-based scripts that can automate parts of those DNS-hooks, but I am still looking for a pure Bash-based solution (especially for the renewal part), cause I do not want to install stuff on our production servers just for SSL/DNS-verification (unless it is absolutely necessary).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.