DNS Verification Automated with ZeroSSL's Crypt::LE for Windows


#1

I’m building a fully automated cert renewal solution using Crypt::LE for Windows (le64.exe) (from ZeroSSL.com). I have the renewal process using http challenge working fine. I need to use the DNS challenge method for generating new certs.

Is there a way I can use a batch file or PowerShell script to add & remove DNS entries from our Windows name servers without installing any additional software? What I like about le64.exe is that it is standalone and doesn’t require adding Perl or anything else.

I read the following forum post:

and it looks very close to what I need to do, but I’m confused where @leader mentions Strawberry Perl and ActiveState Perl. Is that an additional install on a Windows server?

Also, further down in that same response, he says: “…That means for integration with this, you would just need to modify the code for “handle_challenge_dns” in the provided Crypt::LE::Challenge::Simple module and “complete” in the Crypt::LE::Complete::Simple module…”

Is this something where I would have to download the original source code, edit it, and recompile into an .exe file? (I wouldn’t know where to start with that at this point…)

Thanks!


#2

Strawberry Perl or ActiveState Perl only make sense if you are using the Perl version of the client rather than binaries. Strawberry Perl is preferable, it does not require installation in its portable form and it comes with cpanminus - the script you can use to install all the required modules in an easy manner. In case of Crypt::LE that is:

cpanm -f Log::Log4perl
cpanm Crypt::LE

However, if you just need to hook into the challenge and completion process, you do not have to use anything but the binary itself, as long as it can find the challenge/completion code you are pointing at with -handle-with and -complete-with parameters. The example code for the hooks can be found on GitHub. Some additional details can be found at ZeroSSL.

I intend to run a few tests specifically with Windows binaries on weekend and cover this scenario in the documentation.


#3

I have not tried it, but this looks correct: https://stackoverflow.com/questions/36768539/how-to-update-dns-records-programatically


#4

If you’re willing to change clients, Posh-ACME has a native Windows DNS server plugin (disclaimer: am author). It’s pure PowerShell and also doesn’t require installing anything else (unless your .NET version is old). But it’s pretty light on the http challenge support. You could also just take a look at the plugin’s code and adapt it for your needs with Crypt::LE.


#5

I have updated the code and also added an example of how the process can be automated, see https://github.com/do-know/Crypt-LE/blob/master/Plugins/DNS.pm. Effectively all the necessary information (such as command line parameters passed to the client, challenge requirements and results) is available to the plugin code. You can then run whatever process you need - for example call dnscmd with the appropriate parameters. Once binaries are updated (either later today or tomorrow), you should be able to use such plugin by simply pointing to it like this:

le64.exe -key account.key -domains test.com -csr test.csr -csr-key test.key -crt test.crt -generate-missing -handle-with DNS.pm -handle-as dns -api 2

NB: There is NO NEED to install Perl or anything - having the binary file and the plugin file is sufficient.

Additionally, a “-delayed” mode [experimental] flag has been added. It forces the process to stop once the challenge has been received (and data about it printed or processed). When the process then started again, with the same parameters but without -delayed flag, it should continue as normal. This can be useful if you expect a long delay between the DNS update attempt and when it is going to get actually reflected for example.


#6

This is great! So far I have been able to move forward getting everything setup. I haven’t had as much time as I wanted to work on this this week, but I think I should have an end-to-end working solution ready soon.

The latest hiccup I ran into is that dnscmd.exe has been removed as of server 2012, which is the server I’m working with. Looking into doing the equivalent with PowerShell, just got to get the time. I wanted to make sure I thanked you for your help, though! @leader


#7

Glad I could help, @bradpcmac - hopefully it works out - I would be curious to know the details, so your experience might help others using similar configurations. As for dnscmd, I believe it comes as part of the Remote Server Administration Tools for Windows, though might not be installed on 2012 indeed. If I remember correctly it should be possible to enable dnscmd via “Programs and Features” by turning on DNS Server Tools under Role Administration Tools when DNS service/role is set up. But I haven’t used Server 2012 for a few years, so don’t quote me on this :slight_smile: