info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
BIND, nsupdate and acme.sh DNS authentication
261 views
Skip to first unread message
Brett Delmage
Jul 23, 2020, 3:13:19 PM7/23/20
to bind-users
On Thu, 23 Jul 2020, Michael De Roover wrote:
> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.
> How they didn't already put certbot in a cron job after the first time
> is beyond me.
To get this topic back on topic for this list:
When you are creating Let's Encrypt wildcard certificates you must use a
DNS authenticiation protocol with letsencrypt. I am using the acme.sh
client which was recommended for wildcard
certificates. https://github.com/acmesh-official/acme.sh
If you are running your own nameserver you also need to enable dynamic
updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.
However I have found that getting zone dynamic updates (authentication,
specifically) working with nsupdate (which acme.sh uses) and BIND have
been a PITA. I haven't been overly impressed with the debug capabilities
to help get nsupdate working properly.
> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.
> How they didn't already put certbot in a cron job after the first time
> is beyond me.
To get this topic back on topic for this list:
When you are creating Let's Encrypt wildcard certificates you must use a
DNS authenticiation protocol with letsencrypt. I am using the acme.sh
client which was recommended for wildcard
certificates. https://github.com/acmesh-official/acme.sh
If you are running your own nameserver you also need to enable dynamic
updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.
However I have found that getting zone dynamic updates (authentication,
specifically) working with nsupdate (which acme.sh uses) and BIND have
been a PITA. I haven't been overly impressed with the debug capabilities
to help get nsupdate working properly.
Michael De Roover
Jul 23, 2020, 7:54:51 PM7/23/20
to bind-...@lists.isc.org
On 7/23/20 9:13 PM, Brett Delmage wrote:
> To get this topic back on topic for this list:
>
> When you are creating Let's Encrypt wildcard certificates you must use
> a DNS authenticiation protocol with letsencrypt. I am using the
> acme.sh client which was recommended for wildcard certificates.
> https://github.com/acmesh-official/acme.sh
>
> If you are running your own nameserver you also need to enable dynamic
> updates so that the acme.sh client can create TXT records during
> certificate acqusition and renewal.
>
> However I have found that getting zone dynamic updates
> (authentication, specifically) working with nsupdate (which acme.sh
> uses) and BIND have been a PITA. I haven't been overly impressed with
> the debug capabilities to help get nsupdate working properly.
Interesting, I wasn't aware of this. Looking at Manjaro's site again, I
> To get this topic back on topic for this list:
>
> When you are creating Let's Encrypt wildcard certificates you must use
> a DNS authenticiation protocol with letsencrypt. I am using the
> acme.sh client which was recommended for wildcard certificates.
> https://github.com/acmesh-official/acme.sh
>
> If you are running your own nameserver you also need to enable dynamic
> updates so that the acme.sh client can create TXT records during
> certificate acqusition and renewal.
>
> However I have found that getting zone dynamic updates
> (authentication, specifically) working with nsupdate (which acme.sh
> uses) and BIND have been a PITA. I haven't been overly impressed with
> the debug capabilities to help get nsupdate working properly.
found that their main website indeed uses a wildcard certificate while
the forum (which was affected by the certificate renewal issues if
memory serves me right) uses its own dedicated cert. Granted these
renewal issues were already a few years ago so perhaps they changed some
things here and there by now.
I had heard of Let's Encrypt's wildcard certs but never looked further
into it. Would certainly be useful though, as subdomains are an easy way
to separate services. Unfortunately bacme (which I currently use)
doesn't seem to support the DNS-based ACME challenges. I've cloned the
acme.sh repository and will look further into it.
--
Met vriendelijke groet / Best regards,
Michael De Roover
0 new messages