September 22, 2021 1:06 PM, "Brian Candler" <b.cand...@pobox.com> wrote:
> On 22/09/2021 10:54, inform...@trinaxab.se wrote: > >> July 9, 2021 5:12 PM, "Brian Candler" <b.cand...@pobox.com> wrote: >>> On 09/07/2021 15:29, inform...@trinaxab.se wrote: >>>> Specifically, the intention is to use a single wildcard certificate >>>> *.intra.example.com rather than >>>> one for each subdomain. I don't know if that changes anything. >>> No difference. You just need to be able to insert TXT records in the zone >>> _acme-challenge.intra.example.com >>> to get a wildcard cert for *.intra.example.com. (Note that wildcard certs >>> only match one level: >>> e.g. "accounts.intra.example.com" will match but not >>> "mail.accounts.intra.example.com") >> How do I set this up? I haven't really worked with DNS on this level before. >> I find things relating >> to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure >> which of those are >> relevant. > In short: > > - if you've decided to use PowerDNS as the authoritative server for > intra.example.com, you need to > choose a backend which allows dynamic updates (i.e. not the BIND backend; one > of the SQL ones will > be fine) > - you need to enable dynamic updates (e.g. using TSIG or via the API > depending on how you're going > to perform the updates) > - you need to configure your ACME client to perform the updates. > > For example, "dehydrated" is a shell script for obtaining certificates, and > here's a script which > can do TSIG updates. Here are others which can do direct mysql updates or API > updates. > > I've not tested any of these with PowerDNS (I use bind for LetsEncrypt as it > doesn't need a > database), so I'm afraid you need to put these bits together yourself. > > Make sure you point at the LetsEncrypt "staging environment" while you're > testing this, otherwise > you'll hit rate limits that will prevent you making further API calls to > LetsEncrypt for several > hours. Once all the challenge/response stuff is working, then switch to the > production environment > to get real certs. Right, I think I completely misunderstood everything. For some reason I thought I needed to configure the two DNS servers to send updates to each other or something, but now I see that it's not nearly that complicated. I found the following certbot plugins, of which I've successfully implemented the latter: https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://pypi.org/project/certbot-dns-powerdns/ I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration. Thank you! _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
