NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Letsencrypt certificates



Greetings,

I run multiple web servers on several distinct machines in each of four
different domains, which makes the Letsencrypt proposition very
attractive.  After trying Certbot without much success, I lit upon
acme.sh, which offers the possiblity of authentication using
nsupdate(1).  However the process fails, and the relevant error
messages says:
Error add txt for domain:_acme-challenge.prd.co.uk

It is not clear if you already have working DNSSEC key to use with
nsupdate or not. I assume you have one.

Try to use environment variables
export NSUPDATE_SERVER=ns3.prd.co.uk
export NSUPDATE_KEY=key.private

before running acme.sh. Script will take them for updating zone.

To check this you can issue:

# nsupdate -k key.private
> server <server>
>
> update add foo.bar.prd.co.uk 3600 in cname prd.co.uk
>
> update delete foo.bar.prd.co.uk
>

Do not forget additional <enter> after each "update".

I note that the man page for nsupdate(1) says:

To use a SIG(0) key, the public key must be stored in a KEY record in a zone
served by the name server.  nsupdate does not read /etc/named.conf.

I am trying to work out whether that means that the keyfile
contents must be manually added to the zone file, because in
named.conf I have an include line for update.key which contains the
path to that key, so it should be there already.

It may not. It is possible to store key in named.conf for named and have it in file to use with nsupdate.

I note that on the acme.sh site there is a long list of *nix-style OSs
on which success has been reported, but not NetBSD.

I use it on lot of NetBSD servers (7 and 8) for long in production. I even told them, but they do not add NetBSD in supported platform.

--
Dima Veselov
Physics R&D Establishment of Saint-Petersburg University


Home | Main Index | Thread Index | Old Index