Let's Encrypt DNS Challenge Using Certbot and PowerDNS
Let’s Encrypt has been a blessing for system administrators and the internet at large for years now. It was just announced that Let’s Encrypt has issued their billionth certificate and has seen site availability over HTTPS rise globally to 81%. One reason for this strong adoption is the ease of install using one of the many ACME clients available. The most popular is Certbot by the EFF. Certbot verifies domain ownership through various challenge/response mechanisms. We are going to look into the DNS challenge and setting it up using PowerDNS as our nameserver software. This challenge works by inserting a TXT record in the zone of the domain you are trying to request a certificate for. If Let’s Encrypt can successfully query this record from the authoritative source, it considers the challenge passed and will issue you a new certificate. This challenge type is required if you are requesting a wildcard certificate.
Powerdns Config Setup
I assume an already working authoritative PowerDNS install as it’s setup is beyond the scope of this article. We will first need to make a few changes to our PowerDNS authoritative server to enable DNS updates and define who is allowed to make these updates. In the main config file, add these directives, substituting the IP address with the server which will be running Certbot and be making the update request. Restart the PowerDNS server to load the new config. ( Pdns config docs regarding dynamic updates )
|
|
TSIG Key Generation
The next step in this process is going to be generating a TSIG key on our DNS server. TSIG keys are primarily used as a shared secret to authenticate DNS updates. In our example, the request generated by Certbot and sent to our DNS server. This diagram shows an example of this transaction. If the Message Authentication Code (MAC) matches, the message is authentic and the update is processed by the server. PowerDNS has the ability to operate many different zone storage backends. We are going to be using the pdnsutil utility, provided by PowerDNS, so these commands will work on any backend which supports DNSSEC (Backend Feature Table).
pdnsutil generate-tsig-key certbot hmac-sha256
This command will generate the TSIG key and save it in whichever backend you are using. I am using the name certbot to identify the key however this can be whatever string you would like.
We now need to activate the key. This will tell PowerDNS that the TSIG key can be used for the zone you are trying to update. Make sure to update the command with the correct zone.
pdnsutil activate-tsig-key example.com certbot
This completes the setup on our PowerDNS server.
Certbot Setup
Now that we have the PowerDNS server setup completed, we will need to make some configuration changes on the server we are running the Certbot client on. This server should have it’s IP specified in the PowerDNS config as one allowed to update. As mentioned earlier, the TSIG key is used as a shared secret. We will need to copy this key onto the client in a configuration file which we will then pass to Certbot. It does not matter where you place this config file on the server, just that certbot can read it and it is not globally readable as you do not wish you key to be public knowledge to everyone on the server. For this example, we will create the file under /root/certbot.conf
|
|
Requesting a Certificate
With all the pieces in place, the last step is to use Certbot to request a certificate.
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /root/certbot.conf -d example.com
This command will, using the credentials provided in the configuration file, do the following
- Update the zone of the domain specified in the command with a new temporary TXT record
- Reach out to Let’s Encrypt with this information
- Lets Encrypt will attempt to verify by submitting a query for this TXT record.
- If the query is successful, Let’s Encrypt will issue the certificate
- Certbot will update the zone one more time, deleting the temporary TXT record.