Let’sEncrypt certificat and domaine validation

Let’sEncrypt certificat and domaine validation

Par dans LINUX Étiquette , , ,

Let’sEncrypt is a very nice tool to create free certificate for your site. With Let’sEncrypt you need to use domaine validation if you want to create wilcard certificate. In our case we host our zone on debian server with bind9. You can read our tutoriel to learn how you can make up bind9 . You have to know that let’sencrypt need to read TXT record in you zone to check if you are owner of this zone, this TXT record always have same name _acme-challenge.your_zone.fr but différent value for each renewal.

Firstly we will create the specific zone for let’sencrypt to make dynamics update on this zone with our script. login on your bind server and go to configuration directory (/etc/bind/), create let’sencrypt directory and HMAC configuration.

root@bind:/root# cd /etc/bind/
root@bind:/etc/bind/# tsig-keygen -a hmac-sha512 letsencrypt_wildcard | tee letsencrypt_wildcard_key.conf
root@bind:/etc/bind/# chmod 600 letsencrypt_wildcard_key.conf
root@bind:/etc/bind/# cat letsencrypt_wildcard_key.conf
key "letsencrypt_wildcard" {
        algorithm hmac-sha512;
        secret "o0FzHZq/wrJa0/0VdOchxK+5i2AmY72sI3NpXchXef4YWfHMcJIBH2U7lzpcHuRVhZRQGqGSD0ekwmwrOCmaiA==";
};

Now we will create let’sencrypt zone configuration. Know that if you user dynamics update of zone with bind you can modifie this zone manually easily (need to use rndc command to freeze zone). Edit named.conf, named.conf.local and zone file (_acme-challenge.atomit.fr) or your configuration file and add this.

root@bind:/etc/bind/# tail -1 named.conf
include "/etc/bind/letsencrypt_wildcard_key.conf";


root@bind:/etc/bind/# tail named.conf.local
     zone "_acme-challenge.atomit.fr." {
                notify yes;
                type master;
                file "/etc/bind/zones/_acme-challenge.atomit.fr";
                check-names warn;
                journal "/var/log/bind/_acme-challenge.atomit.fr.jnl";
                update-policy {
                  grant letsencrypt_wildcard. name _acme-challenge.atomit.fr. txt;
                };
        };


root@bind:/etc/bind/# cat /etc/bind/zones/_acme-challenge.atomit.fr
$ORIGIN .
$TTL 900        ; 15 minutes
_acme-challenge.atomit.fr IN SOA ns0.atomit.fr. hostmaster.atomit.fr. (
                                2022060826 ; serial
                                3600       ; refresh (1 hour)
                                300        ; retry (5 minutes)
                                604800     ; expire (1 week)
                                180        ; minimum (3 minutes)
                                )
                        NS      ns0.atomit.fr.
                        NS      ns1.atomit.fr.
$TTL 60 ; 1 minute
                        TXT     "acme_hook"
$ORIGIN _acme-challenge.atomit.fr.

restart bind and loging to you web server. Try if resolution is good on txt record for this zone _acme-challenge.atomit.fr

root@apache:/root/# dig _acme-challenge.atomit.fr. -t txt
;; ANSWER SECTION:
_acme-challenge.atomit.fr 59 IN     TXT     "acme_hook"

Now you can create the directory letsencrypt on root home and copy previously create HMAC conf file letsencrypt_wildcard_key.conf on this directory and and this 2 script.

root@apache:/root/# mkdir /root/letsencrypt && cd /root/letsencrypt

root@apache:/root/# cat letsencrypt_clean_hook.sh
#!/bin/bash
#CERTBOT_DOMAIN="atomit.fr"
#CERTBOT_VALIDATION="test"
echo $CERTBOT_VALIDATION
echo $CERTBOT_DOMAIN
mydnsserver=51.254.90.138
myzone="_acme-challenge.$CERTBOT_DOMAIN"
myrecord=$CERTBOT_VALIDATION
echo "server $mydnsserver
zone $myzone
update delete $myzone 60 TXT $myrecord
show
send
quit
" | nsupdate -v -k ./letsencrypt_wildcard_key.conf
sleep 60

root@apache:/root/# cat letsencrypt_hook.sh
#!/bin/bash
#CERTBOT_DOMAIN="atomit.fr"
#CERTBOT_VALIDATION="test"
echo $CERTBOT_VALIDATION
echo $CERTBOT_DOMAIN
mydnsserver=51.254.90.138
myzone="_acme-challenge.$CERTBOT_DOMAIN."
myrecord=$CERTBOT_VALIDATION
echo "server $mydnsserver
zone $myzone
update add $myzone 60 TXT $myrecord
show
send
quit
" | nsupdate -v -k ./letsencrypt_wildcard_key.conf
sleep 60

root@apache:/root/# cat letsencrypt_wildcard_key.conf
key "letsencrypt_wildcard" {
        algorithm hmac-sha512;
        secret "o0FzHZq/wrJa0/0VdOchxK+5i2AmY72sI3NpXchXef4YWfHMcJIBH2U7lzpcHuRVhZRQGqGSD0ekwmwrOCmaiA==";
}; 

root@apache:/root/# ls -la
drwxr-xr-x 2 root root 4096  8 juin  16:05 .
drwxr-xr-x 4 root root 4096 13 juin  10:27 ..
-rwxr-x--- 1 root root  367  8 juin  16:05 letsencrypt_clean_hook.sh
-rwxr-x--- 1 root root  366  8 juin  16:05 letsencrypt_hook.sh
-rw-r----- 1 root root  162  8 juin  11:43 letsencrypt_wildcard_key.conf

You need to change value of variable mydnsserver with the good dns ip address of you server. you can try previously if every thing is good by create 2 variables and run first time hook script if all is good you will see new txt record. At second time you can try to delete this record with clean_hook.

root@apache:/root/#  export CERTBOT_DOMAIN="atomit.fr"
root@apache:/root/#  export CERTBOT_VALIDATION="test"
root@apache:/root/# mkdir /root/letsencrypt/ && cd  /root/letsencrypt
root@apache:/root/letsencrypt/# ./letsencrypt_hook.sh
test
atomit.fr
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;_acme-challenge.atomit.fr. IN      SOA

;; UPDATE SECTION:
_acme-challenge.atomit.fr. 60 IN    TXT     "test"

root@apache:/root/letsencrypt/# dig _acme-challenge.atomit.fr. -t txt
;; ANSWER SECTION:
_acme-challenge.atomit.fr 59 IN     TXT     "acme_hook"
_acme-challenge.atomit.fr 59 IN     TXT     "test"

root@apache:/root/letsencrypt/# ./letsencrypt_clean_hook.sh
test
atomit.fr
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;_acme-challenge.atomit.fr. IN      SOA

;; UPDATE SECTION:
_acme-challenge.atomit.fr. 0 NONE   TXT     "test"


root@apache:/root/letsencrypt/# dig _acme-challenge.atomit.fr. -t txt
;; ANSWER SECTION:
_acme-challenge.atomit.fr 59 IN     TXT     "acme_hook"

Il every thing work good you can now try to run certbot command to create certificat

root@apache:/root/letsencrypt/#  certbot certonly --manual --agree-tos --renew-by-default --email admin@atomit.fr  --preferred-challenges=dns --manual-auth-hook /rootletsencrypt_hook.sh --manual-cleanup-hook ./letsencrypt_clean_hook.sh -d *.atomit.fr -d atomit.fr

...

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/atomit.fr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/atomit.fr/privkey.pem
   Your certificate will expire on 2022-09-11. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You can check the renewal conf in file (/etc/letsencrypt/renewal/atomit.fr.conf).

joel

Laisser un commentaire

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.