Certbot: Ikoula DNS Challenge

From EN Ikoula wiki
Revision as of 16:31, 13 July 2021 by Ikbot (talk | contribs)
⧼vector-jumptonavigation⧽ ⧼vector-jumptosearch⧽

it:Certbot: sfida Ikoula DNS pt:Certbot: Desafio DNS de Ikoula es:Certbot: Reto del DNS de Ikoula fr:Certbot: Challenge DNS Ikoula
This article has been created by an automatic translation software. You can view the article source here.

Introduction

Several challenges or authentication methods are available to request the generation of a Let's Encrypt certificate. Unlike the SSL certificate certificates from Ikoula, these free certificates expire quickly. Therefore, it is necessary to automate their renewal. The Challenge DNS Challenge allows you to request wildcard certificates. A DNS record with a key must therefore be created during the process of obtaining or renewing the certificate.

Prerequisites

The system on which the SSL certificate must have certbot and also some basic dependencies. Here are the necessary packages:

  • certbot
  • curl
  • jq

You also need a client interface user/contact with permissions to modify the DNS zone. We recommend creating a specific user with the minimum permissions for the "Domain and Dns - Dns Management Only for Domain" subscription for :

  • See basic details

Manage zone: domain.tld

Installation

Installing dependencies on a Debian base : 

apt update && apt install -y certbot curl jq

Installation of Ikoula scripts for DNS zone management 

bash <(curl -s https://raw.githubusercontent.com/ikoula/certbot-dns/master/install.sh)

The command must be executed again if the password has been changed.

Use

You can then use the certbot with your usual options, but you must have :

  • --manual
  • --preferred-challenges=dns
  • --manual-auth-hook /usr/local/bin/ikoula-dns-auth.sh
  • --manual-cleanup-hook /usr/local/bin/ikoula-dns-cleanup.sh

Here is an example: 

certbot certonly --manual -n --preferred-challenges=dns --manual-auth-hook /usr/local/bin/ikoula-dns-auth.sh --manual-cleanup-hook /usr/local/bin/ikoula-dns-cleanup.sh -d *.domaine.tld -d domaine.tld --agree-tos -m monadresse@domaine.tld --manual-public-ip-logging-ok

DNS authentication takes time: DNS propagation time. You need at least 2 minutes per domain.

I recommend that you make your settings with a --dry-run. If you fail authentication too many times you will have to wait.

Retrieved from "https://en-wiki.ikoula.com/index.php?title=Certbot:_Ikoula_DNS_Challenge&oldid=11288"