Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
This is running on a non-standard gnu/linux system with a manula build for apache, and bind. I run bind and apache
aps:/usr/local/apache2/htdocs # …/bin/httpd -v
Server version: Apache/2.4.41 (Unix)
Server built: Jan 7 2020 05:36:04
BIND 9.9.6
Documentation say to use docker, and I don’t understand why. I am sure this have been asked dozens of times, but this documentation is just to thin and it leaves me confused.
your suggesting using acme.sh instead of certbot? Why? What does it matter if I am using it in docker or not? If it works in docker it will work in the normal environment
If certbot and certbot-dns-rfc2136 is packaged for your Linux distribution, then just install them from its repositories. In that case, you don’t need to use Docker, and you can then follow the above link exactly.
If the Certbot website suggests running Certbot via Docker, it’s because it thinks that the DNS plugins are not packaged for your Linux distribution.
For example, have a look at the instructions for Debian Buster (stable). There is no mention of Docker, you can install the DNS plugins directly from Debian Buster’s repositories.
On the other hand, if you select e.g. “Other UNIX”, the website has no idea whether the DNS plugins are packaged for your operating system or not, so the portable fallback it provides is using the Docker images.
I hope that helps unravel why Docker is suggested.
It does somewhat accept that Docker doesn't work on other unix? It is not going to work on AIX or HPUNX, BSD etc. Does it work with GUIX even? I hear you though. But why not just download the DNS plugin by source?
I’m not here to defend the choices of the Certbot project, but yes, you can do that if you like.
It’s discouraged for regular users probably because pip install or python setup.py install outside of a virtual environment is a footgun, and anybody who isn’t a Python developer isn’t going to know it.
the instructions say to use dnssec-keygen with -a HMAC-SHA512 which doesn’t exist in bind 9.16.2
can I use a different allgorithm ? I have choices
-a algorithm
Selects the cryptographic algorithm. For DNSSEC keys, the value of
algorithm must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying his value
will automatically set the -T KEY option as well.
These values are case insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option,
then NSEC3RSASHA1 will be used instead.
This parameter must be specified except when using the -S option,
which copies the algorithm from the predecessor key.
In prior releases, HMAC algorithms could be generated for use as
TSIG keys, but that feature has been removed as of BIND 9.13.0. Use
tsig-keygen to generate TSIG keys.