2018-07-27
Automating Let's Encrypt certificates with DNS-01 protocol
After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used. I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job. It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:
zone "_acme-challenge.turing.idefix.net" { type master; file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone"; masterfile-format text; allow-update { key "acmekey-turing"; }; allow-query { any; }; allow-transfer { localnetwork; }; };And in the idefix.net zone there is just one delegation:_acme-challenge.turing IN NS ns2I created and used a dnskey with something like:# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing Kacmekey-turing.+157+53887This gives 2 files, both with the right secret:# ls Kacmekey-turing.+157+53887.* Kacmekey-turing.+157+53887.key Kacmekey-turing.+157+53887.private # cat Kacmekey-turing.+157+53887.key acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215and configured it in /etc/bind/named.conf.options:key "acmekey-turing" { algorithm hmac-md5; secret "c2V0ZWMgYXN0cm9ub215"; };And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result:(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)SMTP between systems with TLS working and good certificates.