Groups > comp.protocols.dns.bind > #16024

Re: BIND, nsupdate and acme.sh DNS authentication

Path	csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From	Michael De Roover <isc@nixmagic.com>
Newsgroups	comp.protocols.dns.bind
Subject	Re: BIND, nsupdate and acme.sh DNS authentication
Date	Fri, 24 Jul 2020 01:54:42 +0200
Lines	33
Approved	bind-users@lists.isc.org
Message-ID	<mailman.766.1595548450.942.bind-users@lists.isc.org> (permalink)
References	<alpine.DEB.2.21.2007231459440.9937@pannier.local> <79022285-c138-ec07-aa1b-6b9523cb0118@nixmagic.com>
NNTP-Posting-Host	lists.isc.org
Mime-Version	1.0
Content-Type	text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding	7bit
X-Trace	usenet.stanford.edu 1595548489 18677 149.20.1.60 (23 Jul 2020 23:54:49 GMT)
X-Complaints-To	action@cs.stanford.edu
To	bind-users@lists.isc.org
Return-Path	<isc@nixmagic.com>
X-Original-To	bind-users@lists.isc.org
Delivered-To	bind-users@lists.isc.org
User-Agent	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To	<alpine.DEB.2.21.2007231459440.9937@pannier.local>
Content-Language	en-US
X-Spam-Status	No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version	SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere	bind-users@lists.isc.org
X-Mailman-Version	2.1.29
Precedence	list
List-Id	BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe	<https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive	<https://lists.isc.org/pipermail/bind-users/>
List-Post	<mailto:bind-users@lists.isc.org>
List-Help	<mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe	<https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID	<79022285-c138-ec07-aa1b-6b9523cb0118@nixmagic.com>
X-Mailman-Original-References	<alpine.DEB.2.21.2007231459440.9937@pannier.local>
Xref	csiph.com comp.protocols.dns.bind:16024

Show key headers only | View raw

On 7/23/20 9:13 PM, Brett Delmage wrote:
> To get this topic back on topic for this list:
>
> When you are creating Let's Encrypt wildcard certificates you must use 
> a DNS authenticiation protocol with letsencrypt. I am using the 
> acme.sh client which was recommended for wildcard certificates. 
> https://github.com/acmesh-official/acme.sh
>
> If you are running your own nameserver you also need to enable dynamic 
> updates so that the acme.sh client can create TXT records during 
> certificate acqusition and renewal.
>
> However I have found that getting zone dynamic updates 
> (authentication, specifically) working with nsupdate (which acme.sh 
> uses) and BIND have been a PITA. I haven't been overly impressed with 
> the debug capabilities to help get nsupdate working properly.

Interesting, I wasn't aware of this. Looking at Manjaro's site again, I 
found that their main website indeed uses a wildcard certificate while 
the forum (which was affected by the certificate renewal issues if 
memory serves me right) uses its own dedicated cert. Granted these 
renewal issues were already a few years ago so perhaps they changed some 
things here and there by now.

I had heard of Let's Encrypt's wildcard certs but never looked further 
into it. Would certainly be useful though, as subdomains are an easy way 
to separate services. Unfortunately bacme (which I currently use) 
doesn't seem to support the DNS-based ACME challenges. I've cloned the 
acme.sh repository and will look further into it.

-- 
Met vriendelijke groet / Best regards,
Michael De Roover

Back to comp.protocols.dns.bind | Previous | Next | Find similar

Thread

Re: BIND, nsupdate and acme.sh DNS authentication Michael De Roover <isc@nixmagic.com> - 2020-07-24 01:54 +0200

csiph-web