DNS-based challange for verification of LetsEncrypt/SSL-certs?


#1

How does one generate DNS-01 challange that can be added to server DNS-records forLetsEncrypt/ SSL-verification?

With which client and with which args?

Can this be done with cerbot/letsencrypt?

Are there clients that can do the issuance and renwal automatically scripted?

Thanks for any info on this.


#2

hi @jjaone

one adds a DNS record type TXT

that depends on the client

yes certbot can be used for dns challenges using --manual and --preferredchallenges arguments

you can review this:


there is also a python project for a DNS lexicon

https://pypi.python.org/pypi/dns-lexicon

you can also script your own plugins

http://letsencrypt.readthedocs.io/en/latest/contributing.html#code-components-and-layout


#3

Thanks for the answer. I’m using letsencrypt 0.11.1 and the ‘–manual’ command only have these switches:

--manual-auth-hook MANUAL_AUTH_HOOK
                      Path or command to execute for the authentication
                      script (default: None)
--manual-cleanup-hook MANUAL_CLEANUP_HOOK
                      Path or command to execute for the cleanup script
                      (default: None)
--manual-public-ip-logging-ok
                      Automatically allows public IP logging (default: Ask)

The ‘certbot’ command does not seem to recognize that "–preferredchallenges’ argument but says:
> certbot: error: unrecognized arguments: --preferredchallenges dns-01


#4

sorry for the sarcasm but a big fan of copy and paste :wink:

http://letsencrypt.readthedocs.io/en/latest/using.html#certbot-commands

–preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred
challenge to use during authorization with the most
preferred challenge listed first (Eg, “dns” or “tls-
sni-01,http,dns”). Not all plugins support all
challenges. See
https://certbot.eff.org/docs/using.html#plugins for
details. ACME Challenges are versioned, but if you
pick “http” rather than “http-01”, Certbot will select
the latest version automatically. (default: [])

the manual even gives you the syntax :smiley:

below is how i usually do mine :smiley:


#5

also thanks heaps for posting the manual hook stuff

i been thinking about how to do something and those will be perfect

i am also guilty of not RTFMing :frowning:


#6

Ok, found out that the correct arg is actually “–preferred-challanges” and using a command:

   `/letsencrypt-auto certonly --agree-tos --renew-by-default --manual --preferred-challenges=dns -d mydns.domain1.tld`

I was able to generate a DNS-challange:

    Please deploy a DNS TXT record under the name
    _acme-challenge.mydns.domain1.tld with the following value:
    JHPIuUHGBkadaodaiweirfblaabvlaabadasasajqxU

which then should be added to server DNS-record as a TXT record, with a very shor TTL.


Is there any better documentation for dns-01 challenge validation?
#7

nice one! let me know how you go with the hook stuff


#8

Yes, you would have seen that information when you would have run certbot --help manual :slight_smile: But as it’s not specific for just the manual plugin, you would have found it in the “optional arguments” in that same output. Just don’t blindly stare at the part after “manual:” :wink:


#9

I had run --manual and several help commands and read the docs of those letsencypt-auto/certbot-auto (old) clients that were installed in our hosts (after I got this task to make SSL-certs to our servers that were moved behind NAT-firewalls three days ago) and they did not have anything about DNS-veriification, also the advice given by @ahaw01 who actully answered this question had it written in incorrect format, which I actually corrected after finding out the arg/options that should be used.

Of course many things could have been searched and could have been done, but after having done a lot of search and experiments with those clients that we had and reading about in these forums that documentation is somwehat sparse on how to use DNS-based verification I decided to asked. And I was actully given an anwer that lead me to correct path and now we have the solution which you can see above.

Instead of you @Osiris OT commenting/complaining about how we found out the commands, you could have provided the correct format and arguments as an answer to the Q that was asked, which was more about the defails of the whole procedure to achieve DNS-based verificatiion of SSL:s with LetsEncrypt of which the generation of the challenge with any of the appropriate clients is just one part.

Just don’t *blindly stare *at the words written here but try to understand why and for what they are written :slight_smile:


#10

Yes thank you for your command examples, they were were helpful foo.

I’m now experimenting with different solutions to automatice this DNS-based challenge generation and verification and renewal process, cause we are still in testing phase and the DNS-records management polices are not exactly clear yet, so Iän not sure if there will be any APIs available for us to automate thist.

But there seems to be many Python-based scripts that can automate parts of those DNS-hooks, but I am still looking for a pure Bash-based solution (especially for the renewal part), cause I do not want to install stuff on our production servers just for SSL/DNS-verification (unless it is absolutely necessary).


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.