How to use Let’s Encrypt DNS challenge validation?

Currently it is possible to perform DNS validation, also with the certbot LetsEncrypt client in manual mode. Automation is possible as well (see below).

Manual plugin

You can either perform a manual verification – with the manual plugin.

certbot -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns certonly

Certbot will then provide you instructions to manually update a TXT record for the domain in order to proceed with the validation.

Please deploy a DNS TXT record under the name
_acme-challenge.bristol3.pki.enigmabridge.com with the following value:

667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

Once this is deployed,
Press ENTER to continue

Once you have updated the DNS record, press Enter, certbot will continue and if the LetsEncrypt CA verifies the challenge, the certificate is issued as normally.

You may also use a command with more options to minimize interactivity and answering certbot questions. Note that the manual plugin does not yet support non-interactive mode.

certbot --text --agree-tos --email [email protected] -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly

Renewal does not work with the manual plugin as it runs in non-interactive mode. More info in the official certbot documentation.

Update: manual hooks

In the new certbot version you can use hooks, e.g., --manual-auth-hook, --manual-cleanup-hook. The hooks are external scripts executed by certbot to perform the task.

Information is passed in environment variables – e.g., domain to validate, challenge token. Vars: CERTBOT_DOMAIN, CERTBOT_VALIDATION, CERTBOT_TOKEN.

certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com

You can write your own handler or use already existing ones. There are many available, e.g., for Cloudflare DNS.

More info on official certbot hooks documentation.

Automation, Renewal, Scripting

If you would like to automate DNS challenge validation it is not currently possible with vanilla certbot. Update: some automation is possible with the certbot hooks.

We thus created a simple plugin that supports scripting with DNS automation. It’s available as certbot-external-auth.

pip install certbot-external-auth

It supports the DNS, HTTP, TLS-SNI validation methods. You can either use it in handler mode or in JSON output mode.

Handler mode

In handler mode, the certbot + plugin calls external hooks (a program, shell script, Python, …) to perform the validation and installation. In practice you write a simple handler/shell script which gets the input arguments – domain, token and makes the change in DNS. When the handler finishes, certbot proceeds with validation as usual.

This gives you extra flexibility, renewal is also possible.

Handler mode is also compatible with Dehydrated DNS hooks (former letsencrypt.sh). There are already many DNS hooks for common providers (e.g., CloudFlare, GoDaddy, AWS). In the repository there is a README with extensive examples and example handlers.

Example with Dehydrated DNS hook:

certbot \
    --text --agree-tos --email [email protected] \
    --expand --renew-by-default \
    --configurator certbot-external-auth:out \
    --certbot-external-auth:out-public-ip-logging-ok \
    -d "bristol3.pki.enigmabridge.com" \
    --preferred-challenges dns \
    --certbot-external-auth:out-handler ./dehydrated-example.sh \
    --certbot-external-auth:out-dehydrated-dns \
    run

JSON mode

Another plugin mode is JSON mode. It produces one JSON object per line. This enables a more complicated integration – e.g., when Ansible or some deployment manager is calling certbot. Communication is performed via STDOUT and STDIN. Cerbot produces JSON objects with data to perform the validation, for example:

certbot \
    --text --agree-tos --email [email protected] \
    --expand --renew-by-default \
    --configurator certbot-external-auth:out \
    --certbot-external-auth:out-public-ip-logging-ok \
    -d "bristol3.pki.enigmabridge.com" \
    --preferred-challenges dns \
    certonly 2>/dev/null

{"cmd": "perform_challenge", "type": "dns-01", "domain": "bs3.pki.enigmabridge.com", "token": "3gJ87yANDpmuuKVL2ktfQ0_qURQ3mN0IfqgbTU_AGS4", "validation": "ejEDZXYEeYHUxqBAiX4csh8GKkeVX7utK6BBOBshZ1Y", "txt_domain": "_acme-challenge.bs3.pki.enigmabridge.com", "key_auth": "3gJ87yANDpmuuKVL2ktfQ0_qURQ3mN0IfqgbTU_AGS4.tRQM98JsABZRm5-NiotcgD212RAUPPbyeDP30Ob_7-0"}

Once DNS is updated, the caller sends the new-line character to STDIN of certbot to signal it can continue with validation.

This enables automation and certificate management from the central management server. For installation you can deploy certificates over SSH.

For more info please refer to the readme and examples on certbot-external-auth GitHub.

EDIT: There is also a new blog post describing the DNS validation problem and the plugin usage.

EDIT: We currently work on Ansible 2-step validation, will be soon off.

Related Posts:

  1. Letsencrypt renewal fails: Could not bind to IPv4 or IPv6.. Skipping
  2. When is K 1024 and when is it 1000?
  3. Dial pad to get phone number (with Android button images)
  4. Why is it not possible to fake an IP address?
  5. Authentication versus Authorization
  6. What is tail recursion?
  7. Visual List of iOS Fonts?
  8. How to get rid of the “No bootable medium found!” error in Virtual Box? [closed]
  9. ‘git’ is not recognized as an internal or external command
  10. what is svn? and how to use it with project?
  11. How can I write a `try`/`except` block that catches all exceptions?
  12. How do I decompile a .dll file?
  13. What’s the purpose of git-mv?
  14. How to write trycatch in R
  15. how to use proxy on youtube-dl?
  16. SSH -X “Warning: untrusted X11 forwarding setup failed: xauth key data not generated”
  17. LINQ equivalent of foreach for IEnumerable
  18. How to do vlookup and fill down (like in Excel) in R?
  19. Using “super” in C++
  20. What is the difference between application server and web server?
  21. Were jprobes removed from kernel v4?
  22. ldap_sasl_bind(SIMPLE): Can’t contact LDAP server(-1)
  23. PHP – Failed to open stream : No such file or directory
  24. How to extract the substring between two markers?
  25. Code-first vs Model/Database-first
  26. How to resolve git’s “not something we can merge” error
  27. Even though JRE 8 is installed on my MAC -” No Java Runtime present,requesting to install ” gets displayed in terminal
  28. What fonts can I use with pygame.font.Font?
  29. CSS Box Shadow Bottom Only
  30. How to squash all git commits into one?
  31. how to fix Javac invalid flag error?
  32. PHP & MySQL: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given
  33. “Insert if not exists” statement in SQLite
  34. Web API Error – This request has been blocked; the content must be served over HTTPS
  35. How can I delete all of my Git stashes at once?
  36. How to create temp table using Create statement in SQL Server?
  37. Error while trying to retrieve text for error ORA-01019
  38. What is meant by diameter of a network?
  39. What is the “N+1 selects problem” in ORM (Object-Relational Mapping)?
  40. HTML Best Practices: Should I use ’ or the special keyboard shortcut?
  41. What is runtime in context of Python? What does it consist of?
  42. mount.nfs: requested NFS version or transport protocol is not supported
  43. How do you get the file size in C#?
  44. how to use svm in Weka Classsifier?
  45. MIPS ‘nor’ usage in code
  46. How can I center

Leave a Comment