Path: csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Michael De Roover <isc@nixmagic.com>
Newsgroups: comp.protocols.dns.bind
Subject: Re: BIND, nsupdate and acme.sh DNS authentication
Date: Fri, 24 Jul 2020 01:54:42 +0200
Lines: 33
Approved: bind-users@lists.isc.org
Message-ID: <mailman.766.1595548450.942.bind-users@lists.isc.org>
References: <alpine.DEB.2.21.2007231459440.9937@pannier.local> <79022285-c138-ec07-aa1b-6b9523cb0118@nixmagic.com>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1595548489 18677 149.20.1.60 (23 Jul 2020 23:54:49 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users@lists.isc.org
Return-Path: <isc@nixmagic.com>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <alpine.DEB.2.21.2007231459440.9937@pannier.local>
Content-Language: en-US
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <79022285-c138-ec07-aa1b-6b9523cb0118@nixmagic.com>
X-Mailman-Original-References: <alpine.DEB.2.21.2007231459440.9937@pannier.local>
Xref: csiph.com comp.protocols.dns.bind:16024

On 7/23/20 9:13 PM, Brett Delmage wrote:
> To get this topic back on topic for this list:
>
> When you are creating Let's Encrypt wildcard certificates you must use 
> a DNS authenticiation protocol with letsencrypt. I am using the 
> acme.sh client which was recommended for wildcard certificates. 
> https://github.com/acmesh-official/acme.sh
>
> If you are running your own nameserver you also need to enable dynamic 
> updates so that the acme.sh client can create TXT records during 
> certificate acqusition and renewal.
>
> However I have found that getting zone dynamic updates 
> (authentication, specifically) working with nsupdate (which acme.sh 
> uses) and BIND have been a PITA. I haven't been overly impressed with 
> the debug capabilities to help get nsupdate working properly.

Interesting, I wasn't aware of this. Looking at Manjaro's site again, I 
found that their main website indeed uses a wildcard certificate while 
the forum (which was affected by the certificate renewal issues if 
memory serves me right) uses its own dedicated cert. Granted these 
renewal issues were already a few years ago so perhaps they changed some 
things here and there by now.

I had heard of Let's Encrypt's wildcard certs but never looked further 
into it. Would certainly be useful though, as subdomains are an easy way 
to separate services. Unfortunately bacme (which I currently use) 
doesn't seem to support the DNS-based ACME challenges. I've cloned the 
acme.sh repository and will look further into it.

-- 
Met vriendelijke groet / Best regards,
Michael De Roover