Get certificate with DNS only


#1

Hi all
I need to generate a certificate for a domain.
I would have to generate the certificate on a windows machine (the server is not running on this).
I do not have shell access and can not connect remotely to the server in anyway.

The only thing I can do is add or remove DNS entries.

Is it possible to do so? If yes how (preferable explained to do it as a newbie as well)?

Cheers,
skillyx


#2

Hi @skillyx

yes, it’s possible. I am using Letsencrypt with Windows. But I wrote my own client. Check the list of clients:

Or use one of the online-clients. But:

can not connect remotely to the server in anyway

How do you want to install the certificate?


#3

There is the option to upload a certificate,but that is all


#4

There are some online-solutions, check the list.

https://www.sslforfree.com/ or https://zerossl.com/

There you can create and download a certificate. But you have to do this every 60 - 90 days.


#5

In a similar situation - but have full access the server but no access to port 80 and am using no-ip w/ my own domain, so I cannot create the necessary DNS TXT record because it starts w/ a _. I have tried both sslforfree & zerossl and they both need the particular addition to the DNS which is not happening. I tried setting up w/ dynu and either I do not know the syntax for the DNS TXT record, or it will not accept it either. Please assist.


#6

If you have your own domain, you may as well use a “fully-featured” DNS host.

e.g. Cloudflare supports dynamic DNS, but I’m sure it’s not the only candidate. It would have the added bonus of supporting automatic renewal if you used an ACME client like acme.sh.

Also, acme.sh does support dynu to issue certificates, so you can use that if you’re having trouble doing it manually.


#7

@_az - Thanks for the links. FWIW, I am running this on a Win10Pro box. I am thinking running Ubuntu in a VM would be the way of least resistance for this automation? This is off topic, but possibly you could help - any preference on which VM client to use - VMWare Player, VirtualBox or Hyper-V?


#8

I’m afraid I don’t know much about Windows. You have a number of Windows options though, not necessarily having to use a Linux VM.

Posh-ACME is a PowerShell client that supports few DNS providers, though Dynu support is missing.

When using ZeroSSL, this is how you need to use Dynu:

Select DNS verification:
Screenshot_2018-06-27_07-52-39

Proceed until you reach the Verification interface.

Once you have your verification records:

enter them in the Dynu interface (don’t include your full domain in the “Node Name” field, just what ZeroSSL says upto your base domain):

until all the records are added and look like this:

Screenshot_2018-06-27_07-56-11

Wait a couple of minutes and proceed in ZeroSSL, and you should have your certificate.


#9

@_az - Thank You so much for your walkthrough / tutorial. I was having an issue w/ the _acme-challenge being the ‘Node Name’, and was trying to figure out the syntax putting both, the entire _acme-challenge.mydomain.com along w/ the value all in the ‘Text’ box. Obviously this was not working. Also, ZeroSSL does have a Windows Binary in their tutorial - https://zerossl.com/usage.html#DNS_verification. Just waiting for propagation for another 10-15mins before I attempt to get the cert/s since I just changed the DNS info @ Godaddy from no-ip -> dynu as well as installing dynu’s client on a machine on my LAN and getting it up-to-date also. :beers:

EDIT: After propagation, GOOOOOOOOAAL!!! Green Little Lock and no more nag screen!! Thanks


#10

Cool! I’ve submitted a pull request to add Dynu support to Posh-ACME, so hopefully you can use that for auto-renewal in future: https://github.com/rmbolger/Posh-ACME/pull/54


#11

@_az - Appreciate the pull request greatly. While I do not have an issue renewing the certs myself, an automated setup would be the icing on the cake :). Thanks.


#12

A Dynu plugin was actually added to Posh-ACME the other day thanks to a generous user. I haven’t pushed a release version that has it yet. But there are instructions in the readme for installing directly from the master branch if you’re desperate.

Lol, that’ll teach me to reply before reading the rest of the thread. Thanks @_az!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.