BIND, nsupdate and acme.sh DNS authentication
Brett Delmage
Brett at BrettDelmage.ca
Thu Jul 23 19:13:06 UTC 2020
On Thu, 23 Jul 2020, Michael De Roover wrote:
> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.
> How they didn't already put certbot in a cron job after the first time
> is beyond me.
To get this topic back on topic for this list:
When you are creating Let's Encrypt wildcard certificates you must use a
DNS authenticiation protocol with letsencrypt. I am using the acme.sh
client which was recommended for wildcard
certificates. https://github.com/acmesh-official/acme.sh
If you are running your own nameserver you also need to enable dynamic
updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.
However I have found that getting zone dynamic updates (authentication,
specifically) working with nsupdate (which acme.sh uses) and BIND have
been a PITA. I haven't been overly impressed with the debug capabilities
to help get nsupdate working properly.
More information about the bind-users
mailing list