Let's Encrypt DNS challenge

giacomo · December 18, 2020, 3:24pm

Right now, every time a user requests a Let’s Encrypt certificate, the underlying system uses certbot with the http challenge.
What does it mean? It means there are few strong requirements to make it work:

the machine must have the HTTP port (tcp 80) open to public world
a DNS record should be already in place and pointing to the public machine IP

Yesterday, I’ve been working a little bit on adding the dns challenge instead of the http one.

Pros:

you can request a certificate from a machine without a valid DNS and without a public accessible HTTP port (very usefull for development scenarios!)
you can request a wildcard certificate

Cons:

your DNS provider must be supported by certbot (CloudFlare and DigitalOcean are supported and have a free plan)
your DNS NS records must point to the DNS provider (see some examples here)

I’m still not sure if it worth adding a UI for it , but I’d like to hear feedback from you!

How to test it:

install the package from testing: yum --enablerepo=nethserver-testing install nethserver-letsencrypt
follow the doc on how to request the certificate: https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-letsencrypt.html#dns-challenge
access the Server Manager and use the certificate which will be renewed automatically

See also the PR.

danb35 · December 18, 2020, 3:48pm

I’d think it is. Better if you could also add support for acme-dns, though admittedly the UI to integrate that hook script would be a little more complicated. OTOH, acme-dns lets just about anyone use the DNS challenge. If it’s going to be CLI-only, I don’t know that it’d add anything that I didn’t write up almost three years ago at userguide:let_s_encrypt_for_internal_servers [NethServer Wiki] (though I used acme.sh there rather than certbot–still not a fan of certbot).

giacomo · December 21, 2020, 8:11am

I’ve already took a look to your excellent work on acme-dns, but in my opinion is even harder than using a DNS provider with certbot.

I thought the DNS challenge could have been useful for the community, but it seems that nobody else other than you and me is going to use it

I’m going to wait a little more before taking a decision, but as first step I will probably do a cli-only release

royceb · December 21, 2020, 1:30pm

The CLI/Config section is keeping me from easily using this like I am used to doing with Pfsense ACME package. I’ll read up on how to properly configure a Cloudflare LE cert and report back.

danb35 · December 21, 2020, 2:09pm

I don’t think it really is, from the client side. Keep in mind that there’s an acme-dns server (which can be anywhere–even hosted by Nethesis, hint hint), and then there’s the client hook script that links in with certbot. For installation of the server, yes, that’s a bit more involved (though not greatly so with my module, if I may be so bold). For the client, though, not so much. Start with the hook script here:

Then the UI elements needed are:

A place to enter the URL of the acme-dns server–you can store that and have it be constant for any certs issued using this authenticator
Scan the output of the hook script for any new CNAME entries that are required, present them to the user, and wait for the user to confirm they’ve been added.
- Optionally, check for yourself that the CNAME records are added appropriately

Using that script, there’s no need for the user to handle any credentials for acme-dns; the script handles them automatically.

If I might be so bold, I’d suggest you start at the wiki page I linked above.

robb · December 21, 2020, 8:24pm

This list of DNS providers might be useful:

capote · January 12, 2021, 4:27pm

I’m really interested to get an easy LE-Management. That means for me:

local creation of a LE-Cert (also wildcard-certificates), also for internal machines w/o public DNS-name and
Generation and transfer of DMARC- and DKIM-records to the DNS-provider
generation and transfer of TSLA-records
the same procedure after automated cert renewal

Thats why I read the list really interested - but I can not find any free provider with a little bit of functionality, that support this process.
Also Digital Ocean not.

I would also use a non-free DNS-provider, but could not check all.

Perhaps our Community can collect DNS-provider the support Nethserver optimal.
my own provider told me:

we have a BETA API which is used by some customers to authenticate Let’s Encrypt certificates. The community has already created an integration in acme.sh which seems to work for a few certificates without any problems. We currently do not plan to develop our own plugins for ACME clients.

you can create an account for the API here in the web interface:
Core Networks GmbH - Webinterface

The documentation can be found at:
API Dokumentation - Core Networks

acme.sh can be found at: GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

The only problem we know of is that the AUTH token is not cached, so you have to create a new one for every change, which quickly hits our rate limit. But for a few certificates or certificates that are issued at different times it should work without problems.

mark_nl · January 12, 2021, 4:45pm

Question asked at hosting (& current DNS) provider: (translated from dutch)

I wonder if it is possible to add and remove DNS TXT record via webservices.bhosted.nl. This is to meet a dns-01 challenge with regard to obtaining Let’s Encrypt for computers is the local network

Answer of my hosting provider:

Beste,

Dat is inderdaad mogelijk. Het lijkt mij wel een uitdaging om het op deze manier Let’s Encrypt te doen, maar technisch gezien moet het te doen zijn.

Translation:

Best,

That is indeed possible. It seems like a challenge to do Let’s Encrypt this way, but technically it should be feasible.

And it is indeed possible to add / remove (TXT) records giving curl an appropriate crafted payload (URL) which includes the authentication bits and pieces.

No idea how to incorporate the specific API, So going to look @danb35 's acme-dns. Seems a better suite for me.

giacomo · January 12, 2021, 4:58pm

You can do it with the new implementation with any of DNS providers supported by certbot.

This is out of the scope from certificate request, so it’s not part of certbot.
Still you can do it with a bash script using your DNS API and attach it to the certificate-update-event

Renewal is already handled and you can add your hooks to certificate-update event

Of course it is, if you do not have a DNS provider supported by certbot.
Even our provider do not support it, but we just pointed the NS record to Digital Ocean (or Cloudflare)

michelandre · January 12, 2021, 5:54pm

Hi all,

How to use DNS API: https://github.com/acmesh-official/acme.sh/wiki/dnsapi. Most API key providers, and how to use them, are listed there.

If your DNS provider doesn’t provide API access, you can use our DNS alias mode:
https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode.

Example for Let’s Encrypt for a LOCAL Nethserver using Cloudflare.com as a “DNS provider”.

# yum install -y socat

# curl https://get.acme.sh | sh

Exit session and reconnect to activate the path for the acme.sh script.

# config setprop pki CrtFile /etc/pki/tls/certs/cert.pem

# config setprop pki ChainFile /etc/pki/tls/certs/chain.pem

# config setprop pki KeyFile /etc/pki/tls/private/privkey.pem

Get the API key from your registrar (or “DNS provider”).
† All challenges will be answered by Cloudflare.

CF is for Cloudflare, adjust to your provider (or “DNS provider”).

# export CF_Key="Your-Global-API-Key"

#  export CF_Email="YourEmailAddressTo connectToYourRegistrar"

Using --test to make sure all is OK.

# /root/.acme.sh/acme.sh \
                  --issue \
                  --dns dns_cf \
                  -d your-domain \
                  ... \
                  --test

For future connection, the key and email address will be saved in one of the the .acme.sh sub-directory.

Then --force for production certificate:

# /root/.acme.sh/acme.sh \
                  --issue \
                  --dns dns_cf \
                  -d your-domain \
                  ... \
                  --force

I never had problem with this scenario.

It should be possible to integrate this in the NethServer manager.

Michel-André

danb35 · January 12, 2021, 6:21pm

Maybe, but the instructions you posted are incomplete. But since I put up a wiki page almost three years ago with instructions on this very subject, and linked to it a few weeks ago in this very topic, I’ll just refer to that.

I expect the issues come with the implementation:

Which DNS hosts should be integrated?
How should they be integrated?
- The obvious answers are “all of them” and “give unique forms for the unique sets of credentials required”, of course–but that means over 100 unique forms that need to be built, and it’s a maintenance nightmare.
How would we get acme.sh into a Neth installation?
- Everything else goes by RPM, but AFAIK, there’s no RPM of acme.sh, and it’s small enough that it almost doesn’t make sense to have one–except that the rest of the system then has no idea which version is running
Does acme.sh behave the way we want it to?
- It has some curious default behaviors–for one example, once it creates a private key for a cert, it reuses that key every renewal.

michelandre · January 12, 2021, 6:25pm

Instead of 124 API key providers, maybe have a look at: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode.

Michel-André

P.S. “Never ascribe to malice, that which can be explained by incompetence.” - Napoleon Bonaparte