wiki.TerraBase.info

Certbot and DNS with BIND and Windows: Difference between revisions

← Older edit
VisualWikitext
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:


===Script to Run (work in progress)===
===Script to Run (work in progress)===
The below script, when run with ./NC.sh, will use DNS to retrieve certificates (and also update other 'Slave Servers'). That infrastructure has to be set up before hand, and includes the following;
The below script, when run with <code>./NC.sh</code> (assuming that's the name of the script), will use DNS to retrieve certificates (and also update other 'Slave Servers').


*_acme_challenge 'sub zone'
That infrastructure of course has to be set up before hand, and includes the following items (generally speaking);
*"RNDC Setup"
 
*If using external / internal DNS Servers, then that configuration too.
*Configure the following;
<syntaxhighlight lang="text">
**Delegate the _acme_challenge 'sub zone' in Windows (assumes Windows DNS is used as the backend "Master / Primary" DNS Server
**"Slave / Secondary" configuration in BIND (assuming BIND / NAMED is being used as a frontend server;<syntaxhighlight lang="text">
zone "_acme-challenge.WhatEverDomainName.WhatEverSuffix" {
 
check-names ignore;
 
type master;
 
allow-update { W.X.Y.Z/24; };
 
file "/var/named/masters/_acme-challenge.WhatEverDomainName.WhatEverSuffix.hosts";
};
</syntaxhighlight>
 
./NC.sh Script;<syntaxhighlight lang="text">
#!/bin/sh
#!/bin/sh


DomainName="$1"
DomainName="$1"
ScriptsPath="/etc/letsencrypt/renewal-hooks/CUSTOM"


TotalSlaveServers=1
SlaveServer1=W1.X1.Y1.Z1
SlaveServerKey1=WhatEverKey1
SlaveServer2=W2.X2.Y2.Z2
SlaveServerKey2=WhatEverKey2




Line 34: Line 43:




i=1
while [ "$i" -le "$TotalSlaveServers" ]; do
eval SlaveIP="\$SlaveServer${i}"
# Create fresh RNDC temp file for this slave
rm -f /etc/letsencrypt/SCRIPTS/RNDC.TempFile
(
echo 'key "rndc-key" {'
echo ' algorithm hmac-sha256;'
echo " secret \"${SlaveServerKey1}\";"
echo '};'
echo
echo 'options {'
echo " default-key \"rndc-key\";"
echo " default-server ${SlaveIP};"
echo ' default-port 953;'
echo '};'
) > /etc/letsencrypt/SCRIPTS/RNDC.TempFile
# Test the zone on this slave
if /usr/sbin/rndc -c /etc/letsencrypt/SCRIPTS/RNDC.TempFile zonestatus "_acme-challenge.${DomainName}" > /dev/null 2>&1; then
echo
echo "_acme-challenge.${DomainName} Zone Exists on ${SlaveIP}"
echo
else
echo
echo "_acme-challenge.${DomainName} Zone Does NOT exist on ${SlaveIP}"
echo
rm -f /etc/letsencrypt/SCRIPTS/RNDC.TempFile
exit 1
fi
rm -f /etc/letsencrypt/SCRIPTS/RNDC.TempFile
i=$((i + 1))
done
### Remove --staging for a 'Real / Live Certificate';


certbot certonly \
certbot certonly \
--manual \
--manual \
--preferred-challenges dns \
--preferred-challenges dns \
--manual-auth-hook /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh \
--manual-auth-hook "${ScriptsPath}/ManualAuth.sh" \
--manual-cleanup-hook /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh \
--manual-cleanup-hook "${ScriptsPath}/ManualCleanUp.sh" \
--non-interactive \
--non-interactive \
--cert-name "${DomainName}" \
--cert-name "${DomainName}" \
Line 89: Line 56:
--manual \
--manual \
--preferred-challenges dns \
--preferred-challenges dns \
--manual-auth-hook /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh \
--manual-auth-hook "${ScriptsPath}/ManualAuth.sh" \
--manual-cleanup-hook /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh \
--manual-cleanup-hook "${ScriptsPath}/ManualCleanUp.sh" \
--non-interactive \
--non-interactive \
--cert-name "${DomainName}-WILDCARD" \
--cert-name "${DomainName}-WILDCARD" \
-d "*.${DomainName}"
-d "*.${DomainName}"
</syntaxhighlight>--manual-auth-hook (ManualAuth.sh)<syntaxhighlight lang="text">
#!/bin/sh


ZoneName="_acme-challenge.${CERTBOT_DOMAIN}"
MasterServer=W.X.Y.Z
TTL="0"


### Staging versions of above (REMEMBER: Don't comment individual items out out, it won't work below cuz those \ ( backslashes ) indicate 'one continuous line', not separate lines. )
### Zone Name: the 'sub-zone', which will always be "_acme-challenge", prefixed to the Domain Name
### certbot certonly \
### TTL: Time To Live
### --manual \
 
### --preferred-challenges dns \
### {CERTBOT_DOMAIN}: Variable from CertBot that contains the Domain Name (Example: TerraBase.info
### --manual-auth-hook /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh \
### {CERTBOT_VALIDATION} (see below): Variable from CertBot that contains the Validation Text String to be put into a TXT Record (Example: ZtvSKa-0ifZ3lov_zvXj0Adso1Y94Jh8c0xrtjwsTEQ)
### --manual-cleanup-hook /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh \
 
### --staging \
 
### --non-interactive \
 
### --cert-name "${DomainName}" \
### The Following Section enters the record into the BIND / NAMED Zone for Certbot Validation;
### -d "${DomainName}"
 
(
echo "server ${MasterServer}"
echo "zone ${ZoneName}"
echo "update delete ${ZoneName} TXT"
echo "update add ${ZoneName}. ${TTL} TXT \"${CERTBOT_VALIDATION}\""
echo "send"
) | /usr/bin/nsupdate -v
 
 
 
### The following item will sync the BIND / NAMED .hosts and JNL Files
 
/usr/sbin/rndc -s "${MasterServer}" sync "${ZoneName}"
 
 
 
sleep 3
 
 
### For Testing, set the following variables as they're normally provided by Certbot;
 
### CERTBOT_DOMAIN=WhatEverDomainName.WhatEverSuffix
### CERTBOT_VALIDATION="ThisIsTest1"


### certbot certonly \
### --manual \
### --preferred-challenges dns \
### --manual-auth-hook /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh \
### --manual-cleanup-hook /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh \
### --staging \
### --non-interactive \
### --cert-name "${DomainName}-WILDCARD" \
### -d "*.${DomainName}"
</syntaxhighlight>
</syntaxhighlight>


Line 145: Line 131:
Yup, that's right.  Everything in the /etc/letsencrypt/renewal-hooks/pre/ will be run.  Then anything listed in the Renewal Config File will be run.  Woof!
Yup, that's right.  Everything in the /etc/letsencrypt/renewal-hooks/pre/ will be run.  Then anything listed in the Renewal Config File will be run.  Woof!


'''LESSON LEARNED''': Put hooks in a CUSTOM Directory Structure, NOT in the one provided by Let's Encrypt!<br />
'''LESSON LEARNED''': Put hooks in a CUSTOM Directory Structure, NOT in the one provided by Let's Encrypt!
 
<br />
 
===Troubleshooting Commands===
 
*Regarding the NAMED / BIND .jnl Files;
**rndc zonestatus _acme-challenge.WhatEverDomainName
***...if issues, then;
***rndc freeze _acme-challenge.WhatEverDomainName
***rndc sync -clean _acme-challenge.WhatEverDomainName
***rndc thaw _acme-challenge.WhatEverDomainName
*dig +trace _acme-challenge.grassvalleyflorist.com TXT
 
<br />
Retrieved from "https://wiki.terrabase.info/wiki/Certbot_and_DNS_with_BIND_and_Windows"