Let's Encrypt DNS challenge

Right now, every time a user requests a Let’s Encrypt certificate, the underlying system uses certbot with the http challenge.
What does it mean? It means there are few strong requirements to make it work:

  • the machine must have the HTTP port (tcp 80) open to public world
  • a DNS record should be already in place and pointing to the public machine IP

Yesterday, I’ve been working a little bit on adding the dns challenge instead of the http one.

Pros:

  • you can request a certificate from a machine without a valid DNS and without a public accessible HTTP port (very usefull for development scenarios!)
  • you can request a wildcard certificate

Cons:

  • your DNS provider must be supported by certbot (CloudFlare and DigitalOcean are supported and have a free plan)
  • your DNS NS records must point to the DNS provider (see some examples here)

I’m still not sure if it worth adding a UI for it :thinking:, but I’d like to hear feedback from you!

How to test it:

See also the PR.

5 Likes

I’d think it is. Better if you could also add support for acme-dns, though admittedly the UI to integrate that hook script would be a little more complicated. OTOH, acme-dns lets just about anyone use the DNS challenge. If it’s going to be CLI-only, I don’t know that it’d add anything that I didn’t write up almost three years ago at https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers (though I used acme.sh there rather than certbot–still not a fan of certbot).

I’ve already took a look to your excellent work on acme-dns, but in my opinion is even harder than using a DNS provider with certbot.

I thought the DNS challenge could have been useful for the community, but it seems that nobody else other than you and me is going to use it :smiley:

I’m going to wait a little more before taking a decision, but as first step I will probably do a cli-only release :slight_smile:

2 Likes

The CLI/Config section is keeping me from easily using this like I am used to doing with Pfsense ACME package. I’ll read up on how to properly configure a Cloudflare LE cert and report back.

1 Like

I don’t think it really is, from the client side. Keep in mind that there’s an acme-dns server (which can be anywhere–even hosted by Nethesis, hint hint), and then there’s the client hook script that links in with certbot. For installation of the server, yes, that’s a bit more involved (though not greatly so with my module, if I may be so bold). For the client, though, not so much. Start with the hook script here:

Then the UI elements needed are:

  • A place to enter the URL of the acme-dns server–you can store that and have it be constant for any certs issued using this authenticator
  • Scan the output of the hook script for any new CNAME entries that are required, present them to the user, and wait for the user to confirm they’ve been added.
    • Optionally, check for yourself that the CNAME records are added appropriately

Using that script, there’s no need for the user to handle any credentials for acme-dns; the script handles them automatically.

If I might be so bold, I’d suggest you start at the wiki page I linked above.

1 Like

This list of DNS providers might be useful:

3 Likes

I’m really interested to get an easy LE-Management. That means for me:

  1. local creation of a LE-Cert (also wildcard-certificates), also for internal machines w/o public DNS-name and
  2. Generation and transfer of DMARC- and DKIM-records to the DNS-provider
  3. generation and transfer of TSLA-records
  4. the same procedure after automated cert renewal

Thats why I read the list really interested - but I can not find any free provider with a little bit of functionality, that support this process.
Also Digital Ocean not.

I would also use a non-free DNS-provider, but could not check all.

Perhaps our Community can collect DNS-provider the support Nethserver optimal.
my own provider told me:

we have a BETA API which is used by some customers to authenticate Let’s Encrypt certificates. The community has already created an integration in acme.sh which seems to work for a few certificates without any problems. We currently do not plan to develop our own plugins for ACME clients.

you can create an account for the API here in the web interface:
https://iface.core-networks.de/general/api/accounts

The documentation can be found at:
https://beta.api.core-networks.de/doc/

acme.sh can be found at: https://github.com/acmesh-official/acme.sh

The only problem we know of is that the AUTH token is not cached, so you have to create a new one for every change, which quickly hits our rate limit. But for a few certificates or certificates that are issued at different times it should work without problems.

Question asked at hosting (& current DNS) provider: (translated from dutch)

I wonder if it is possible to add and remove DNS TXT record via webservices.bhosted.nl. This is to meet a dns-01 challenge with regard to obtaining Let’s Encrypt for computers is the local network

Answer of my hosting provider:

Beste,

Dat is inderdaad mogelijk. Het lijkt mij wel een uitdaging om het op deze manier Let’s Encrypt te doen, maar technisch gezien moet het te doen zijn.

Translation:

Best,

That is indeed possible. It seems like a challenge to do Let’s Encrypt this way, but technically it should be feasible.

And it is indeed possible to add / remove (TXT) records giving curl an appropriate crafted payload (URL) which includes the authentication bits and pieces.

No idea how to incorporate the specific API, So going to look @danb35 's acme-dns. Seems a better suite for me.

You can do it with the new implementation with any of DNS providers supported by certbot.

This is out of the scope from certificate request, so it’s not part of certbot.
Still you can do it with a bash script using your DNS API and attach it to the certificate-update-event

Renewal is already handled and you can add your hooks to certificate-update event

Of course it is, if you do not have a DNS provider supported by certbot.
Even our provider do not support it, but we just pointed the NS record to Digital Ocean (or Cloudflare)

1 Like

Hi all,

How to use DNS API: https://github.com/acmesh-official/acme.sh/wiki/dnsapi. Most API key providers, and how to use them, are listed there.

If your DNS provider doesn’t provide API access, you can use our DNS alias mode:
https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode.

Example for Let’s Encrypt for a LOCAL Nethserver using Cloudflare.com as a “DNS provider”.

# yum install -y socat

# curl https://get.acme.sh | sh

Exit session and reconnect to activate the path for the acme.sh script.

# config setprop pki CrtFile /etc/pki/tls/certs/cert.pem

# config setprop pki ChainFile /etc/pki/tls/certs/chain.pem

# config setprop pki KeyFile /etc/pki/tls/private/privkey.pem

Get the API key from your registrar (or “DNS provider”).
All challenges will be answered by Cloudflare.

CF is for Cloudflare, adjust to your provider (or “DNS provider”).

# export CF_Key="Your-Global-API-Key"

#  export CF_Email="YourEmailAddressTo connectToYourRegistrar"

Using --test to make sure all is OK.

# /root/.acme.sh/acme.sh \
                  --issue \
                  --dns dns_cf \
                  -d your-domain \
                  ... \
                  --test

For future connection, the key and email address will be saved in one of the the .acme.sh sub-directory.

Then --force for production certificate:

# /root/.acme.sh/acme.sh \
                  --issue \
                  --dns dns_cf \
                  -d your-domain \
                  ... \
                  --force

I never had problem with this scenario.

It should be possible to integrate this in the NethServer manager.

Michel-André

2 Likes

Maybe, but the instructions you posted are incomplete. But since I put up a wiki page almost three years ago with instructions on this very subject, and linked to it a few weeks ago in this very topic, I’ll just refer to that.

I expect the issues come with the implementation:

  • Which DNS hosts should be integrated?
  • How should they be integrated?
    • The obvious answers are “all of them” and “give unique forms for the unique sets of credentials required”, of course–but that means over 100 unique forms that need to be built, and it’s a maintenance nightmare.
  • How would we get acme.sh into a Neth installation?
    • Everything else goes by RPM, but AFAIK, there’s no RPM of acme.sh, and it’s small enough that it almost doesn’t make sense to have one–except that the rest of the system then has no idea which version is running
  • Does acme.sh behave the way we want it to?
    • It has some curious default behaviors–for one example, once it creates a private key for a cert, it reuses that key every renewal.
2 Likes

Instead of 124 API key providers, maybe have a look at: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode.

Michel-André

P.S. “Never ascribe to malice, that which can be explained by incompetence.” - Napoleon Bonaparte

2 Likes