LetsEncrypt Wildcards (Ubuntu 18.04): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
 
(30 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 20: Zeile 20:
<pre>
<pre>
dnsupdate=yes
dnsupdate=yes
allow-dnsupdate-from=
allow-dnsupdate-from=0.0.0.0/0,::0
</pre>
</pre>


Zeile 26: Zeile 26:


<pre>
<pre>
insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’);
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'SOA-EDIT-DNSUPDATE','INCREASE');
</pre>
 
 
 
<pre>
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'ALLOW-DNSUPDATE-FROM','0.0.0.0/0');
</pre>
 
 
 
<pre>
sudo pdnsutil generate-tsig-key certbot hmac-sha512
</pre>
</pre>


<pre>
<pre>
insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg==');
insert into tsigkeys (name, algorithm, secret) values ('certbot', 'hmac-sha512', 'FYhvwsW1ZtFZqWzsMpqhbg==');
</pre>
</pre>


<pre>
<pre>
sql> select id from domains where name='example.org';
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='example.org'), 'TSIG-ALLOW-DNSUPDATE', 'certbot');
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
</pre>
</pre>




<pre>
<pre>
sql> select id from domains where name='1.168.192.in-addr.arpa';
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='0.0.10.in-addr.arpa'), 'TSIG-ALLOW-DNSUPDATE', 'certbot');
6
</pre>
sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
 
===== Test =====
 
<pre>
nsupdate <<!
server 127.0.0.1 5300
zone dynamic-dns.at
update add _test.example.org. 60 IN TXT "test"
key hmac-sha512:certbot FYhvwsW1ZtFZqWzsMpqhbg==
send
!
</pre>
</pre>


Zeile 55: Zeile 75:
sudo mkdir /opt/certbot
sudo mkdir /opt/certbot
sudo vi /opt/certbot/rfc2136.ini
sudo vi /opt/certbot/rfc2136.ini
sudo chmod 600 /opt/certbot/rfc2136.ini
</pre>
</pre>


Zeile 62: Zeile 83:
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_server = 127.0.0.1
# Target DNS port
# Target DNS port
dns_rfc2136_port = 53
dns_rfc2136_port = 5300
# TSIG key name
# TSIG key name
dns_rfc2136_name = keyname.
dns_rfc2136_name = certbot.
# TSIG key secret
# TSIG key secret
dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==
dns_rfc2136_secret = FYhvwsW1ZtFZqWzsMpqhbg==
# TSIG key algorithm
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512
dns_rfc2136_algorithm = HMAC-SHA512
Zeile 72: Zeile 93:


<pre>
<pre>
certbot certonly \
sudo certbot certonly \
   --dns-rfc2136 \
   --dns-rfc2136 \
   --dns-rfc2136-credentials /opt/certbot/rfc2136.ini \
   --dns-rfc2136-credentials /opt/certbot/rfc2136.ini \
   -d example.com
  --dns-rfc2136-propagation-seconds 60 \
   -d example.com \
  -d dns1.example.com \
  -d *.dns1.example.com \
  -d poweradmin1.example.org
</pre>
</pre>


Zeile 81: Zeile 106:


[https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://certbot-dns-rfc2136.readthedocs.io/en/stable/]
[https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://certbot-dns-rfc2136.readthedocs.io/en/stable/]
=== Renew ===
Laut <code>sudo vi /etc/cron.d/certbot</code> läuft auf <code>systemd</code> basierten Systemen, der Timer zum Update:
<pre>
sudo systemctl list-timers
</pre>
<pre>
NEXT                        LEFT          LAST                        PASSED      UNIT                        ACTIVATES
Sun 2020-03-15 18:59:21 CET  3h 42min left Sun 2020-03-15 10:26:56 CET  4h 49min ago certbot.timer                certbot.service
</pre>


=== Links Allgemein ===
=== Links Allgemein ===
Zeile 91: Zeile 129:


== Docker ==
== Docker ==
{{note|Noch nicht getestet}}


Um das [https://hub.docker.com/r/certbot/dns-nsone certbot/dns-nsone]-Image zu benützen, folgenden Befehl ausführen:
Um das [https://hub.docker.com/r/certbot/dns-nsone certbot/dns-nsone]-Image zu benützen, folgenden Befehl ausführen:

Aktuelle Version vom 24. Mai 2020, 08:04 Uhr

Noch in Bearbeitung


rfc2136

Installation

sudo apt-get install -y certbot python-certbot-apache python3-certbot-dns-rfc2136

Konfiguration

PowerDNS

sudo vi /etc/powerdns/pdns.conf
dnsupdate=yes
allow-dnsupdate-from=0.0.0.0/0,::0
Datenbank
insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'SOA-EDIT-DNSUPDATE','INCREASE');


insert into domainmetadata(domain_id, kind, content) values((select id from domains where name='example.org'), 'ALLOW-DNSUPDATE-FROM','0.0.0.0/0');


sudo pdnsutil generate-tsig-key certbot hmac-sha512
insert into tsigkeys (name, algorithm, secret) values ('certbot', 'hmac-sha512', 'FYhvwsW1ZtFZqWzsMpqhbg==');
insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='example.org'), 'TSIG-ALLOW-DNSUPDATE', 'certbot');


insert into domainmetadata (domain_id, kind, content) values ((select id from domains where name='0.0.10.in-addr.arpa'), 'TSIG-ALLOW-DNSUPDATE', 'certbot');
Test
nsupdate <<!
server 127.0.0.1 5300
zone dynamic-dns.at
update add _test.example.org. 60 IN TXT "test"
key hmac-sha512:certbot FYhvwsW1ZtFZqWzsMpqhbg==
send
!
Links

https://certbot.eff.org/lets-encrypt/debianbuster-apache

Certbot

sudo mkdir /opt/certbot
sudo vi /opt/certbot/rfc2136.ini
sudo chmod 600 /opt/certbot/rfc2136.ini


# Target DNS server
dns_rfc2136_server = 127.0.0.1
# Target DNS port
dns_rfc2136_port = 5300
# TSIG key name
dns_rfc2136_name = certbot.
# TSIG key secret
dns_rfc2136_secret = FYhvwsW1ZtFZqWzsMpqhbg==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512
sudo certbot certonly \
  --dns-rfc2136 \
  --dns-rfc2136-credentials /opt/certbot/rfc2136.ini \
  --dns-rfc2136-propagation-seconds 60 \
  -d example.com \
  -d dns1.example.com \
  -d *.dns1.example.com \
  -d poweradmin1.example.org
Links

https://certbot-dns-rfc2136.readthedocs.io/en/stable/

Renew

Laut sudo vi /etc/cron.d/certbot läuft auf systemd basierten Systemen, der Timer zum Update:

sudo systemctl list-timers
NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Sun 2020-03-15 18:59:21 CET  3h 42min left Sun 2020-03-15 10:26:56 CET  4h 49min ago certbot.timer                certbot.service

Links Allgemein

https://bbs.archlinux.org/viewtopic.php?id=240847

https://doc.powerdns.com/authoritative/dnsupdate.html

https://wiki.archlinux.org/index.php/Certbot

Docker

Noch nicht getestet

Um das certbot/dns-nsone-Image zu benützen, folgenden Befehl ausführen:

sudo docker run -it --rm --name certbot \
            -v "/etc/letsencrypt:/etc/letsencrypt" \
            -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
            certbot/dns-nsone certonly

Links

https://certbot.eff.org/docs/install.html#running-with-docker

https://hub.docker.com/u/certbot

https://medium.com/faun/docker-letsencrypt-dns-validation-75ba8c08a0d


Zurück zu LetsEncrypt