Differences between revisions 7 and 8
Revision 7 as of 2022-02-15 15:56:36
Size: 3004
Editor: ToshinoriMaeno
Comment:
Revision 8 as of 2022-02-16 02:41:21
Size: 3052
Editor: ToshinoriMaeno
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
== 心配 == == 機能 ==
Line 8: Line 8:
  CNAMEを経由することも可能。
Line 9: Line 10:
== サブドメイン == == サブドメイン乗取 ==

1. Letsencrypt/dns-01

Contents

  1. Letsencrypt/dns-01
    1. 機能
    2. サブドメイン乗取
    3. 認証方式
    4. DNS API
    5. 実行例
    6. 実行例2
    7. 自動化

1.1. 機能

"_acme-challenge.example.com" ownerのTXTレコードを作れるかどうかを確認している。

1.2. サブドメイン乗取

NSが存在しないことくらいは確認して欲しい。 -- ToshinoriMaeno 2019-01-26 00:29:30

http://ya.maya.st/d/201903b.html あぶない話が載っている。

  • 「lame になるけど、誰もクエリを投げてこないので」 : 大丈夫か。-- ToshinoriMaeno 2020-06-30 23:52:08

1.3. 認証方式

https://dan.langille.org/2017/05/31/creating-a-txt-only-nsupdate-connection-for-lets-encrypt/

moin.qmail.jp のようにDNS(zone)も自前のサイトなら、dns-01型の認証の方が簡単かと思った。

At the simplistic level, the client talks to the Let’s Encrypt ACME server and obtains a “token” that needs to be placed in a TXT record in your DNS.

1.4. DNS API

If your DNS provider has an API then this record can be added automatically, or you can do it manually.

Once the TXT record is there, Let’s Encrypt verifies this and provides you with a certificate (via the same client).

You will need a new token every time you need to renew for a new certifcate though, hence automation is easier.

Which arguments you need to call depends on which client you are using.

https://letsencrypt.org/docs/client-options/

1.5. 実行例

certonly --manual

https://blog.fabiopires.pt/running-your-instance-of-burp-collaborator-server/

1.6. 実行例2

https://blog.rinsuki.net/articles/letsencrypt-wildcard-in-cloudflare-dns/

wildcard, cloudflare DNS API plugin

1.7. 自動化

Let’s Encryptの証明書更新(DNS認証)を自動化 https://blog.nightonly.com/2021/03/24/lets-encrypt%E3%81%AE%E8%A8%BC%E6%98%8E%E6%9B%B8%E6%9B%B4%E6%96%B0%EF%BC%88dns%E8%AA%8D%E8%A8%BC%EF%BC%89%E3%82%92%E8%87%AA%E5%8B%95%E5%8C%96/

https://www.codingstock.jp/letsencrypt_dns01_autorenew/ (hook)

https://qiita.com/marks43/items/5fec21992e12a9433676

/etc/letsencrypt/renewal-hooks/ 配下の(pre, post, deploy)のそれぞれのディレクトリに 実行ファイルを保存しておくと勝手に実行されるようです。 

/etc/letsencrypt/renewal-hooks/pre/dns01-auth.sh

#!/bin/bash
#echo $CERTBOT_VALIDATION > /tmp/CERTBOT_VALIDATION.txt ##確認用
#echo $CERTBOT_DOMAIN > /tmp/CERTBOT_DOMAIN.txt ##確認用
[ "$CERTBOT_VALIDATION" = "" ] && exit 0
[ "$CERTBOT_TOKEN"     != "" ] && exit 0
echo -e " port=53\n" \
        "no-hosts\n" \
        "domain-needed\n" \
        "bogus-priv\n" \
        "txt-record=_acme-challenge.$CERTBOT_DOMAIN,\"$CERTBOT_VALIDATION\"" \
        > /etc/dnsmasq.conf
systemctl restart dnsmasq
sleep 20s   # この時間は環境により要調整

MoinQ: Letsencrypt/ACME/dns-01 (last edited 2022-02-16 02:41:21 by ToshinoriMaeno)