LetsEncrypt Wildcards (Ubuntu 18.04): Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „<pre> sudo apt-get install -y certbot python-certbot-apache </pre> Zurück zu LetsEncrypt“) |
(→Docker) |
||
(46 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
{{note|Noch in Bearbeitung}} | |||
== rfc2136 == | |||
=== Installation === | |||
<pre> | |||
sudo apt-get install -y certbot python-certbot-apache python3-certbot-dns-rfc2136 | |||
</pre> | |||
=== Konfiguration === | |||
==== PowerDNS ==== | |||
<pre> | |||
sudo vi /etc/powerdns/pdns.conf | |||
</pre> | |||
<pre> | |||
dnsupdate=yes | |||
allow-dnsupdate-from=0.0.0.0/0,::0 | |||
</pre> | |||
===== Datenbank ===== | |||
<pre> | |||
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'SOA-EDIT-DNSUPDATE','INCREASE'); | |||
</pre> | |||
<pre> | <pre> | ||
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'ALLOW-DNSUPDATE-FROM','0.0.0.0/0'); | |||
</pre> | </pre> | ||
<pre> | |||
sudo pdnsutil generate-tsig-key certbot hmac-sha512 | |||
</pre> | |||
<pre> | |||
insert into tsigkeys (name, algorithm, secret) values ('certbot', 'hmac-sha512', 'FYhvwsW1ZtFZqWzsMpqhbg=='); | |||
</pre> | |||
<pre> | |||
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='example.org'), 'TSIG-ALLOW-DNSUPDATE', 'certbot'); | |||
</pre> | |||
<pre> | |||
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='0.0.10.in-addr.arpa'), 'TSIG-ALLOW-DNSUPDATE', 'certbot'); | |||
</pre> | |||
===== Test ===== | |||
<pre> | |||
nsupdate <<! | |||
server 127.0.0.1 5300 | |||
zone dynamic-dns.at | |||
update add _test.example.org. 60 IN TXT "test" | |||
key hmac-sha512:certbot FYhvwsW1ZtFZqWzsMpqhbg== | |||
send | |||
! | |||
</pre> | |||
===== Links ===== | |||
[https://certbot.eff.org/lets-encrypt/debianbuster-apache https://certbot.eff.org/lets-encrypt/debianbuster-apache] | |||
==== Certbot ==== | |||
<pre> | |||
sudo mkdir /opt/certbot | |||
sudo vi /opt/certbot/rfc2136.ini | |||
sudo chmod 600 /opt/certbot/rfc2136.ini | |||
</pre> | |||
<pre> | |||
# Target DNS server | |||
dns_rfc2136_server = 127.0.0.1 | |||
# Target DNS port | |||
dns_rfc2136_port = 5300 | |||
# TSIG key name | |||
dns_rfc2136_name = certbot. | |||
# TSIG key secret | |||
dns_rfc2136_secret = FYhvwsW1ZtFZqWzsMpqhbg== | |||
# TSIG key algorithm | |||
dns_rfc2136_algorithm = HMAC-SHA512 | |||
</pre> | |||
<pre> | |||
sudo certbot certonly \ | |||
--dns-rfc2136 \ | |||
--dns-rfc2136-credentials /opt/certbot/rfc2136.ini \ | |||
--dns-rfc2136-propagation-seconds 60 \ | |||
-d example.com \ | |||
-d dns1.example.com \ | |||
-d *.dns1.example.com \ | |||
-d poweradmin1.example.org | |||
</pre> | |||
===== Links ===== | |||
[https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://certbot-dns-rfc2136.readthedocs.io/en/stable/] | |||
=== Renew === | |||
Laut <code>sudo vi /etc/cron.d/certbot</code> läuft auf <code>systemd</code> basierten Systemen, der Timer zum Update: | |||
<pre> | |||
sudo systemctl list-timers | |||
</pre> | |||
<pre> | |||
NEXT LEFT LAST PASSED UNIT ACTIVATES | |||
Sun 2020-03-15 18:59:21 CET 3h 42min left Sun 2020-03-15 10:26:56 CET 4h 49min ago certbot.timer certbot.service | |||
</pre> | |||
=== Links Allgemein === | |||
[https://bbs.archlinux.org/viewtopic.php?id=240847 https://bbs.archlinux.org/viewtopic.php?id=240847] | |||
[https://doc.powerdns.com/authoritative/dnsupdate.html https://doc.powerdns.com/authoritative/dnsupdate.html] | |||
[https://wiki.archlinux.org/index.php/Certbot https://wiki.archlinux.org/index.php/Certbot] | |||
== Docker == | |||
{{note|Noch nicht getestet}} | |||
Um das [https://hub.docker.com/r/certbot/dns-nsone certbot/dns-nsone]-Image zu benützen, folgenden Befehl ausführen: | |||
<pre> | |||
sudo docker run -it --rm --name certbot \ | |||
-v "/etc/letsencrypt:/etc/letsencrypt" \ | |||
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ | |||
certbot/dns-nsone certonly | |||
</pre> | |||
=== Links === | |||
[https://certbot.eff.org/docs/install.html#running-with-docker https://certbot.eff.org/docs/install.html#running-with-docker] | |||
[https://hub.docker.com/u/certbot https://hub.docker.com/u/certbot] | |||
[https://medium.com/faun/docker-letsencrypt-dns-validation-75ba8c08a0d https://medium.com/faun/docker-letsencrypt-dns-validation-75ba8c08a0d] | |||
Zurück zu [[LetsEncrypt (Ubuntu 18.04)|LetsEncrypt]] | Zurück zu [[LetsEncrypt (Ubuntu 18.04)#Wildcard Zertifikate|LetsEncrypt]] |
Aktuelle Version vom 24. Mai 2020, 08:04 Uhr
Noch in Bearbeitung
rfc2136
Installation
sudo apt-get install -y certbot python-certbot-apache python3-certbot-dns-rfc2136
Konfiguration
PowerDNS
sudo vi /etc/powerdns/pdns.conf
dnsupdate=yes allow-dnsupdate-from=0.0.0.0/0,::0
Datenbank
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'SOA-EDIT-DNSUPDATE','INCREASE');
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'ALLOW-DNSUPDATE-FROM','0.0.0.0/0');
sudo pdnsutil generate-tsig-key certbot hmac-sha512
insert into tsigkeys (name, algorithm, secret) values ('certbot', 'hmac-sha512', 'FYhvwsW1ZtFZqWzsMpqhbg==');
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='example.org'), 'TSIG-ALLOW-DNSUPDATE', 'certbot');
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='0.0.10.in-addr.arpa'), 'TSIG-ALLOW-DNSUPDATE', 'certbot');
Test
nsupdate <<! server 127.0.0.1 5300 zone dynamic-dns.at update add _test.example.org. 60 IN TXT "test" key hmac-sha512:certbot FYhvwsW1ZtFZqWzsMpqhbg== send !
Links
https://certbot.eff.org/lets-encrypt/debianbuster-apache
Certbot
sudo mkdir /opt/certbot sudo vi /opt/certbot/rfc2136.ini sudo chmod 600 /opt/certbot/rfc2136.ini
# Target DNS server dns_rfc2136_server = 127.0.0.1 # Target DNS port dns_rfc2136_port = 5300 # TSIG key name dns_rfc2136_name = certbot. # TSIG key secret dns_rfc2136_secret = FYhvwsW1ZtFZqWzsMpqhbg== # TSIG key algorithm dns_rfc2136_algorithm = HMAC-SHA512
sudo certbot certonly \ --dns-rfc2136 \ --dns-rfc2136-credentials /opt/certbot/rfc2136.ini \ --dns-rfc2136-propagation-seconds 60 \ -d example.com \ -d dns1.example.com \ -d *.dns1.example.com \ -d poweradmin1.example.org
Links
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
Renew
Laut sudo vi /etc/cron.d/certbot
läuft auf systemd
basierten Systemen, der Timer zum Update:
sudo systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES Sun 2020-03-15 18:59:21 CET 3h 42min left Sun 2020-03-15 10:26:56 CET 4h 49min ago certbot.timer certbot.service
Links Allgemein
https://bbs.archlinux.org/viewtopic.php?id=240847
https://doc.powerdns.com/authoritative/dnsupdate.html
https://wiki.archlinux.org/index.php/Certbot
Docker
Noch nicht getestet
Um das certbot/dns-nsone-Image zu benützen, folgenden Befehl ausführen:
sudo docker run -it --rm --name certbot \ -v "/etc/letsencrypt:/etc/letsencrypt" \ -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ certbot/dns-nsone certonly
Links
https://certbot.eff.org/docs/install.html#running-with-docker
https://hub.docker.com/u/certbot
https://medium.com/faun/docker-letsencrypt-dns-validation-75ba8c08a0d
Zurück zu LetsEncrypt