wowana.me

website source; use git clone git://wowana.me/wowana.me.git to clone this repository.


acme-client-letskencrypt-dns-01-how-to.md (2944B)


      1 # acme-client (letskencrypt) dns-01 how-to
      2 <!--[time 201809211645.46]-->
      3 
      4 I just spent half my day literally yelling at the screen trying to figure out how to use [acme-client](https://kristaps.bsd.lv/acme-client) (formally known as letskencrypt) for dns-01 challenges. there's no examples in the man page, none online, and the source code didn't help much.
      5 
      6 - ----
      7 
      8 why not [certbot](https://certbot.eff.org/)? I've tried it, but it insists on making its own crazy filetree structure, and I needed everything contained to a single directory (more specifically, a mountpoint shared between my LXC containers, with appropriate file permissions set). why not [dehydrated](https://github.com/lukas2511/dehydrated)? I probably could have used it, but I was attracted to acme-client for its implementation in C, portability, and minimal dependencies. I was pretty much stubborn to make it work. why not just use http-01? I run a dedicated server with containerised services and a bunch of NAT black magic, so DNS challenges allow me to create my certs in one container instead of entrusting all my containers with the task and causing more headache for myself.
      9 
     10 anyway, after digging through an issue on github and dehydrated's source, I finally had enough information in order to implement a working dns-01 script. I hope this saves someone else from spending a day like I did, and wanting to kill themselves at the end of it.
     11 
     12 I use mksh, but with a bit of editing you can translate it to POSIX sh, or just replace the shebang with bash. as you can see, I didn't really place much effort into making this pretty; I just wanted it to work.
     13 
     14 	#!/bin/mksh
     15 
     16 	domains=(
     17 		'anime.website  anime.website'
     18 		'krustykrab.restaurant  bfbb.krustykrab.restaurant'
     19 		'gentoo.today   gentoo.today install.gentoo.today'
     20 		'volatile.bz    git.volatile.bz'
     21 		'krustykrab.restaurant  krustykrab.restaurant'
     22 		# ...
     23 	)
     24 	nsupdate_key=/etc/bind/ddns.key
     25 
     26 	for line in "${domains[@]}"; do
     27 		zone=`cut -f1 <<<"$line"`
     28 		domainlist=`cut -f2 <<<"$line"`
     29 		echo "Updating '$domainlist' in $zone"
     30 		pemdir=/mnt/certs/`cut -d' ' -f1 <<<"$domainlist"`
     31 		mkdir -p $pemdir
     32 		acme-client -vnNmt dns-01 -c $pemdir -k $pemdir/privkey.pem $domainlist |&
     33 		while read -p type domain token; do
     34 			keyauth=`printf '%s' "$token" | openssl dgst -sha256 -binary | base64 | tr '+\/' '-_' | tr -d '='`
     35 			nsupdate -4l -k $nsupdate_key <<-EOF
     36 			zone $zone
     37 			update delete _acme-challenge.$domain TXT
     38 			update add _acme-challenge.$domain 60 TXT $keyauth
     39 			send
     40 			EOF
     41 			wait 10
     42 			print -p "$type $domain $token"
     43 		done
     44 		wait
     45 		for domain in `echo $domainlist`; do
     46 			nsupdate -4l -k $nsupdate_key <<-EOF
     47 			zone $zone
     48 			update delete _acme-challenge.$domain TXT
     49 			send
     50 			EOF
     51 		done
     52 	done > /var/log/acme.log
     53 
     54 this script is under the same licence as the rest of my site (Creative Commons Zero) and is free to redistribute and modify. let me know if this has been of any use to you.