ACME DNS-01 challenage with dehydrated

dehydrated | dehydrated-dns | dehydrated-http | dehydrated-reload

prepare the hook

the official sample is here:

https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh

manual

assuming you’ve got NSD up and running locally

    cd /etc/dehydrated/
    wget https://raw.githubusercontent.com/gheja/dns-01-manual/refs/heads/master/hook.sh
    chmod +x hook.sh

otherwise thos one seems worth a try — https://github.com/sebastiansterk/dns-01-manual/blob/master/hook.sh

local nsd daemon

we are pointing to our hook script

    cd /etc/nsd/
    wget https://pub.nethence.com/bin/daemons/sign.sh
chmod +x sign.ksh

    cd /etc/dehydrated/
    wget https://pub.nethence.com/bin/daemons/hook-nsd.sh
    chmod +x hook-nsd.sh

yandex dns

we are pointing to another hook script of ours

    cd /etc/dehydrated/
    wget https://pub.nethence.com/bin/daemons/hook-yandex.sh
    wget https://pub.nethence.com/bin/daemons/yandex-dnszone-get.bash
    wget https://pub.nethence.com/bin/daemons/yandex-dnszone-updaterecordset.bash
    chmod +x hook-yandex.sh yandex-dnszone-get.bash yandex-dnszone-updaterecordset.bash

vi hook-yandex.sh

zoneid=...

setup

    vi /etc/dehydrated/config-dns01

    CONTACT_EMAIL=...

    IP_VERSION=4
    CA="letsencrypt"
    CHALLENGETYPE="dns-01"
    DOMAINS_TXT="/etc/dehydrated/domains-dns01"

# manual
    HOOK=/etc/dehydrated/hook.sh

# local nsd daemon
    HOOK=/etc/dehydrated/hook-nsd.sh

# yandex dns
    HOOK=/etc/dehydrated/hook-yandex.sh

grab some certs for both, the domain itself and its sub-level wildcard

    vi /etc/dehydrated/domains-dns01

    DOMAIN.TLD
    *.DOMAIN.TLD > DOMAIN_TLD

ready to go

accept the terms and attempt to get some CSR signed

    dehydrated --config /etc/dehydrated/config-dns01 --register --accept-terms
    find /etc/dehydrated/accounts/

dealing with dns-01

# todo - automize all that
# from workstation
#export YC_TOKEN=`yc iam create-token`
# on server
#export YC_TOKEN=...

    dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01
    dehydrated --cleanup

more options

# --algo secp384r1 --out /var/lib/dehydrated/certs/secp384r1
# --algo rsa --out /var/lib/dehydrated/certs/rsa

resources

https://github.com/dehydrated-io/dehydrated/wiki

https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/domains.txt

https://github.com/dehydrated-io/dehydrated/blob/master/docs/dns-verification.md

https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

https://community.letsencrypt.org/t/dns-01-problem-with-dehydrated/116338

https://www.aaflalo.me/2017/02/lets-encrypt-with-dehydrated-dns-01/

https://blog.znedw.com/lets-encrypt-wildcard-nsd.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT