wowana.me

website source; use git clone git://wowana.me/wowana.me.git to clone this repository.


acme-client-letskencrypt-dns-01-how-to.md (3160B)


      1 -----BEGIN PGP SIGNED MESSAGE-----
      2 Hash: SHA256
      3 
      4 acme-client (letskencrypt) dns-01 how-to
      5 
      6 I just spent half my day literally yelling at the screen trying to figure out how to use [acme-client](https://kristaps.bsd.lv/acme-client) (formally known as letskencrypt) for dns-01 challenges. there's no examples in the man page, none online, and the source code didn't help much.
      7 
      8 - ----
      9 
     10 why not [certbot](https://certbot.eff.org/)? I've tried it, but it insists on making its own crazy filetree structure, and I needed everything contained to a single directory (more specifically, a mountpoint shared between my LXC containers, with appropriate file permissions set). why not [dehydrated](https://github.com/lukas2511/dehydrated)? I probably could have used it, but I was attracted to acme-client for its implementation in C, portability, and minimal dependencies. I was pretty much stubborn to make it work. why not just use http-01? I run a dedicated server with containerised services and a bunch of NAT black magic, so DNS challenges allow me to create my certs in one container instead of entrusting all my containers with the task and causing more headache for myself.
     11 
     12 anyway, after digging through an issue on github and dehydrated's source, I finally had enough information in order to implement a working dns-01 script. I hope this saves someone else from spending a day like I did, and wanting to kill themselves at the end of it.
     13 
     14 I use mksh, but with a bit of editing you can translate it to POSIX sh, or just replace the shebang with bash. as you can see, I didn't really place much effort into making this pretty; I just wanted it to work.
     15 
     16 ```
     17 #!/bin/mksh
     18 
     19 domains=(
     20 	'anime.website  anime.website'
     21 	'krustykrab.restaurant  bfbb.krustykrab.restaurant'
     22 	'gentoo.today   gentoo.today install.gentoo.today'
     23 	'volatile.bz    git.volatile.bz'
     24 	'krustykrab.restaurant  krustykrab.restaurant'
     25 	# ...
     26 )
     27 nsupdate_key=/etc/bind/ddns.key
     28 
     29 for line in "${domains[@]}"; do
     30 	zone=`cut -f1 <<<"$line"`
     31 	domainlist=`cut -f2 <<<"$line"`
     32 	echo "Updating '$domainlist' in $zone"
     33 	pemdir=/mnt/certs/`cut -d' ' -f1 <<<"$domainlist"`
     34 	mkdir -p $pemdir
     35 	acme-client -vnNmt dns-01 -c $pemdir -k $pemdir/privkey.pem $domainlist |&
     36 	while read -p type domain token; do
     37 		keyauth=`printf '%s' "$token" | openssl dgst -sha256 -binary | base64 | tr '+\/' '-_' | tr -d '='`
     38 		nsupdate -4l -k $nsupdate_key <<-EOF
     39 		zone $zone
     40 		update delete _acme-challenge.$domain TXT
     41 		update add _acme-challenge.$domain 60 TXT $keyauth
     42 		send
     43 		EOF
     44 		wait 10
     45 		print -p "$type $domain $token"
     46 	done
     47 	wait
     48 	for domain in `echo $domainlist`; do
     49 		nsupdate -4l -k $nsupdate_key <<-EOF
     50 		zone $zone
     51 		update delete _acme-challenge.$domain TXT
     52 		send
     53 		EOF
     54 	done
     55 done > /var/log/acme.log
     56 ```
     57 
     58 this script is under the same licence as the rest of my site (Creative Commons Zero) and is free to redistribute and modify. let me know if this has been of any use to you.
     59 -----BEGIN PGP SIGNATURE-----
     60 
     61 iHUEARYIAB0WIQTTaa3wA7+tqaxSfUAwzn1m3mlJEAUCW6UgPgAKCRAwzn1m3mlJ
     62 EAlLAQCScFe3ZX3x4I2Ye5cMZINPFLIQtIV0g4WrdsXbRYS+cwEAyKSDwyTlGjNT
     63 7yF99B4mq1vfeFq0L/MqhkYYi//YCw0=
     64 =AkvX
     65 -----END PGP SIGNATURE-----