Certbot and DNS with BIND and Windows: Difference between revisions
Created page with "What a blessed hassle it is. Here's what needs to be done." |
mNo edit summary |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
What a blessed hassle it is. Here's what needs to be done. | What a blessed hassle it is. Here's what needs to be done. | ||
===Script to Run (work in progress)=== | |||
The below script, when run with <code>./NC.sh</code> (assuming that's the name of the script), will use DNS to retrieve certificates (and also update other 'Slave Servers'). | |||
That infrastructure of course has to be set up before hand, and includes the following items (generally speaking); | |||
*Configure the following; | |||
**Delegate the _acme_challenge 'sub zone' in Windows (assumes Windows DNS is used as the backend "Master / Primary" DNS Server | |||
**"Slave / Secondary" configuration in BIND (assuming BIND / NAMED is being used as a frontend server;<syntaxhighlight lang="text"> | |||
zone "_acme-challenge.WhatEverDomainName.WhatEverSuffix" { | |||
check-names ignore; | |||
type master; | |||
allow-update { W.X.Y.Z/24; }; | |||
file "/var/named/masters/_acme-challenge.WhatEverDomainName.WhatEverSuffix.hosts"; | |||
}; | |||
</syntaxhighlight> | |||
./NC.sh Script;<syntaxhighlight lang="text"> | |||
#!/bin/sh | |||
DomainName="$1" | |||
ScriptsPath="/etc/letsencrypt/renewal-hooks/CUSTOM" | |||
if [ -z "${DomainName}" ]; then | |||
echo | |||
echo "Don't forget to add the Domain Name to the end of the command." | |||
echo "Example: ./NewCertificate.via.DNS.sh terrawide.com" | |||
echo | |||
exit 1 | |||
else | |||
echo | |||
echo "Command Line contains Domain Name: ${DomainName}" | |||
echo | |||
fi | |||
certbot certonly \ | |||
--manual \ | |||
--preferred-challenges dns \ | |||
--manual-auth-hook "${ScriptsPath}/ManualAuth.sh" \ | |||
--manual-cleanup-hook "${ScriptsPath}/ManualCleanUp.sh" \ | |||
--non-interactive \ | |||
--cert-name "${DomainName}" \ | |||
-d "${DomainName}" | |||
certbot certonly \ | |||
--manual \ | |||
--preferred-challenges dns \ | |||
--manual-auth-hook "${ScriptsPath}/ManualAuth.sh" \ | |||
--manual-cleanup-hook "${ScriptsPath}/ManualCleanUp.sh" \ | |||
--non-interactive \ | |||
--cert-name "${DomainName}-WILDCARD" \ | |||
-d "*.${DomainName}" | |||
</syntaxhighlight>--manual-auth-hook (ManualAuth.sh)<syntaxhighlight lang="text"> | |||
#!/bin/sh | |||
ZoneName="_acme-challenge.${CERTBOT_DOMAIN}" | |||
MasterServer=W.X.Y.Z | |||
TTL="0" | |||
### Zone Name: the 'sub-zone', which will always be "_acme-challenge", prefixed to the Domain Name | |||
### TTL: Time To Live | |||
### {CERTBOT_DOMAIN}: Variable from CertBot that contains the Domain Name (Example: TerraBase.info | |||
### {CERTBOT_VALIDATION} (see below): Variable from CertBot that contains the Validation Text String to be put into a TXT Record (Example: ZtvSKa-0ifZ3lov_zvXj0Adso1Y94Jh8c0xrtjwsTEQ) | |||
### The Following Section enters the record into the BIND / NAMED Zone for Certbot Validation; | |||
( | |||
echo "server ${MasterServer}" | |||
echo "zone ${ZoneName}" | |||
echo "update delete ${ZoneName} TXT" | |||
echo "update add ${ZoneName}. ${TTL} TXT \"${CERTBOT_VALIDATION}\"" | |||
echo "send" | |||
) | /usr/bin/nsupdate -v | |||
### The following item will sync the BIND / NAMED .hosts and JNL Files | |||
/usr/sbin/rndc -s "${MasterServer}" sync "${ZoneName}" | |||
sleep 3 | |||
### For Testing, set the following variables as they're normally provided by Certbot; | |||
### CERTBOT_DOMAIN=WhatEverDomainName.WhatEverSuffix | |||
### CERTBOT_VALIDATION="ThisIsTest1" | |||
</syntaxhighlight> | |||
===Big ASH Gotcha!=== | |||
If you use the preconfigured Directory Structure Let's Encrypt / Certbot provides in /etc/letsencrypt/renewal-hooks, watch out! | |||
When renewing a Certificate it automatically runs everything it finds in the above mentioned Directory, like for instance: /etc/letsencrypt/renewal-hooks/pre/WhatEver.sh | |||
In the instance of the /etc/letsencrypt/renewal/WhatEverRenewalFile below (WHICH CERTBOT AUTOMATICALLY CREATES ITSELF WHEN GETTING A NEW CERTIFICATE!!!);<syntaxhighlight lang="text"> | |||
# renew_before_expiry = 30 days | |||
version = 2.9.0 | |||
archive_dir = /etc/letsencrypt/archive/WhatEverDomain.com | |||
cert = /etc/letsencrypt/live/WhatEverDomain.com/cert.pem | |||
privkey = /etc/letsencrypt/live/WhatEverDomain.com/privkey.pem | |||
chain = /etc/letsencrypt/live/WhatEverDomain.com/chain.pem | |||
fullchain = /etc/letsencrypt/live/WhatEverDomain.com/fullchain.pem | |||
# Options used in the renewal process | |||
[renewalparams] | |||
account = WhatEverAccountNumber | |||
pref_challs = dns-01, | |||
authenticator = manual | |||
manual_auth_hook = /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh | |||
manual_cleanup_hook = /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh | |||
server = https://acme-v02.api.letsencrypt.org/directory | |||
key_type = ecdsa | |||
</syntaxhighlight>Guess how many times the WhatEver.sh Script in the /etc/letsencrypt/renewal-hooks/pre/ runs? Once, as one might think from the above Renewal Config File? Nope, TWICE! | |||
Yup, that's right. Everything in the /etc/letsencrypt/renewal-hooks/pre/ will be run. Then anything listed in the Renewal Config File will be run. Woof! | |||
'''LESSON LEARNED''': Put hooks in a CUSTOM Directory Structure, NOT in the one provided by Let's Encrypt! | |||
<br /> | |||
===Troubleshooting Commands=== | |||
*Regarding the NAMED / BIND .jnl Files; | |||
**rndc zonestatus _acme-challenge.WhatEverDomainName | |||
***...if issues, then; | |||
***rndc freeze _acme-challenge.WhatEverDomainName | |||
***rndc sync -clean _acme-challenge.WhatEverDomainName | |||
***rndc thaw _acme-challenge.WhatEverDomainName | |||
*dig +trace _acme-challenge.grassvalleyflorist.com TXT | |||
<br /> | |||