starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-14 07:33:34 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity
Page: example dns 01 nsupdate script
Pages
Blog articles and HowTos DNS 01 hooks Docker support Example hook script to deploy cert to Unifi controller Example of lighttpd combined certificate deployment hook Example: Using multiple hooks Example: deploy cert for weechat relay server Examples for DNS 01 hooks Home Import from official letsencrypt client example dns 01 nsupdate script
Clone
17
example dns 01 nsupdate script
JP Mens edited this page 2020-12-19 12:47:50 +01:00
Table of Contents

Example hook script using Dynamic DNS update utility for dns-01 challenge

This hook script uses the nsupdate utility from the bind package to solve dns-01 challenges.

Code

#!/usr/bin/env bash

#
# Example how to deploy a DNS challenge using nsupdate
#

set -e
set -u
set -o pipefail

NSUPDATE="nsupdate -k /path/to/Kdnsupdatekey.private"
DNSSERVER="127.0.0.1"
TTL=300

case "$1" in
    "deploy_challenge")
        printf "server %s\nupdate add _acme-challenge.%s. %d in TXT \"%s\"\nsend\n" "${DNSSERVER}" "${2}" "${TTL}" "${4}" | $NSUPDATE
        ;;
    "clean_challenge")
        printf "server %s\nupdate delete _acme-challenge.%s. %d in TXT \"%s\"\nsend\n" "${DNSSERVER}" "${2}" "${TTL}" "${4}" | $NSUPDATE
        ;;
    "deploy_cert")
        # optional:
        # /path/to/deploy_cert.sh "$@"
        ;;
    "unchanged_cert")
        # do nothing for now
        ;;
    "startup_hook")
        # do nothing for now
        ;;
    "exit_hook")
        # do nothing for now
        ;;
esac

exit 0

The file /path/to/Kdnsupdatekey.private looks like this:

key "<keyname>" {
  algorithm hmac-sha512;
  secret "<key>";
};

To avoid making your entire production DNS subject to dynamic DNS updates, then for each certificate domain you want:

  1. In your main DNS infrastructure create a delegation: _acme-challenge.<domain>. NS <your-nameserver>.
  2. Create a new zone _acme-challenge.<domain> on <your-nameserver>, with an empty zonefile (just an SOA and NS record), writeable by the nameserver
  3. Create a new TSIG key: tsig-keygen -a sha512 <keyname>
  4. Enable dynamic updates on the _acme-challenge.<domain> zone with this key

e.g. for bind9:

key "<keyname>" {
  algorithm hmac-sha512;
  secret "<key>";
};
zone "_acme-challenge.<domain>" {
  type master;
  file "/var/cache/bind/_acme-challenge.<domain>";
  masterfile-format text;
  allow-update { key "<keyname>"; };
};

This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for.

An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script:

ZONE="acme.mydomain.com"
...
    "deploy_challenge")
        printf "server %s\nupdate add _acme-challenge.%s.%s. %d in TXT \"%s\"\nsend\n" "${DNSSERVER}" "${2}" "${ZONE}" "${TTL}" "${4}" | $NSUPDATE
        ;;
    "clean_challenge")
        printf "server %s\nupdate delete _acme-challenge.%s.%s. %d in TXT \"%s\"\nsend\n" "${DNSSERVER}" "${2}" "${ZONE}" "${TTL}" "${4}" | $NSUPDATE

You then only need to create a single zone acme.mydomain.com which accepts dynamic DNS updates, but you will need to add static CNAMEs for _acme-challenge.<certname> pointing at _acme-challenge.<certname>.acme.mydomain.com for each certificate you want to issue.