1. Letsencrypt/dns-01

1.1. 機能

"_acme-challenge.example.com" ownerのTXTレコードを作れるかどうかを確認している。

1.2. サブドメイン乗取

NSが存在しないことくらいは確認して欲しい。 -- ToshinoriMaeno 2019-01-26 00:29:30

http://ya.maya.st/d/201903b.html あぶない話が載っている。

1.3. 認証方式

https://dan.langille.org/2017/05/31/creating-a-txt-only-nsupdate-connection-for-lets-encrypt/

moin.qmail.jp のようにDNS(zone)も自前のサイトなら、dns-01型の認証の方が簡単かと思った。

At the simplistic level, the client talks to the Let’s Encrypt ACME server and obtains a “token” that needs to be placed in a TXT record in your DNS.

1.4. DNS API

If your DNS provider has an API then this record can be added automatically, or you can do it manually.

Once the TXT record is there, Let’s Encrypt verifies this and provides you with a certificate (via the same client).

You will need a new token every time you need to renew for a new certifcate though, hence automation is easier.

Which arguments you need to call depends on which client you are using.

https://letsencrypt.org/docs/client-options/

1.5. 実行例

certonly --manual

https://blog.fabiopires.pt/running-your-instance-of-burp-collaborator-server/

1.6. 実行例2

https://blog.rinsuki.net/articles/letsencrypt-wildcard-in-cloudflare-dns/

wildcard, cloudflare DNS API plugin

1.7. 自動化

Let’s Encryptの証明書更新(DNS認証)を自動化 https://blog.nightonly.com/2021/03/24/lets-encrypt%E3%81%AE%E8%A8%BC%E6%98%8E%E6%9B%B8%E6%9B%B4%E6%96%B0%EF%BC%88dns%E8%AA%8D%E8%A8%BC%EF%BC%89%E3%82%92%E8%87%AA%E5%8B%95%E5%8C%96/

https://www.codingstock.jp/letsencrypt_dns01_autorenew/ (hook)

https://qiita.com/marks43/items/5fec21992e12a9433676

/etc/letsencrypt/renewal-hooks/ 配下の(pre, post, deploy)のそれぞれのディレクトリに 実行ファイルを保存しておくと勝手に実行されるようです。

/etc/letsencrypt/renewal-hooks/pre/dns01-auth.sh

#!/bin/bash
#echo $CERTBOT_VALIDATION > /tmp/CERTBOT_VALIDATION.txt ##確認用
#echo $CERTBOT_DOMAIN > /tmp/CERTBOT_DOMAIN.txt ##確認用
[ "$CERTBOT_VALIDATION" = "" ] && exit 0
[ "$CERTBOT_TOKEN"     != "" ] && exit 0
echo -e " port=53\n" \
        "no-hosts\n" \
        "domain-needed\n" \
        "bogus-priv\n" \
        "txt-record=_acme-challenge.$CERTBOT_DOMAIN,\"$CERTBOT_VALIDATION\"" \
        > /etc/dnsmasq.conf
systemctl restart dnsmasq
sleep 20s   # この時間は環境により要調整

MoinQ: Letsencrypt/ACME/dns-01 (last edited 2022-02-16 02:41:21 by ToshinoriMaeno)