~/Blog

Brandon Rozek

Photo of Brandon Rozek

PhD Student @ RPI studying Automated Reasoning in AI and Linux Enthusiast.

Using the DNS-01 Challenge to obtain a wildcard certificate on Letsecnrypt

Published on

2 minute reading time

Letsencrypt lets anyone get a free SSL certificate in an easily automated way. It verifies that the user is allowed to issue a certificate for that domain by issuing a challenge. Lets say that I want a certificate for exampledomain.com. The defaults for most clients is to use the HTTP-01 challenge. This requires that we have a webserver installed on that domain running on port 80. As part of the challenge, the Letsencrypt client will drop a file within the appropriate webserver folder so that it gets served at http://exampledomain.com/.well-known/acme-challenge/<token>. For example on nginx this could be at /var/www/exampledomain.com/.well-known/acme-challenge/<token>. The Letsencrypt server will then verify that the file exists before issuing the certificate.

This easily works for one domain, but what if we have many sub-domains we want added to the certificate? With the HTTP-01 challenge, we need to test each sub-domain individually. Alternatively, we can use the DNS-01 challenge to get issued a wildcard certificate. With one wildcard certificate (e.g *.exampledomain.com) we can secure a.exampledomain.com, b.exampledomain.com and many more!

Letsecnrypt verifies that the user is allowed to claim all these subdomains, by seeing if the user has access to the DNS zone file for that domain. The idea is that if the user is able to change the DNS anyways, then the user could’ve gone through the process of installing a webserver at that IP. With access to the DNS zone file, the user would have to create a TXT record.

Now this process could be done manually on Certbot by using the --manual flag. However, in the spirit of automation, there are many plugins existent to help streamline the process. This list of DNS providers shows which provider supports this feature and in what clients.

If your provider isn’t supported on this list, not all hope is lost. Under the manual plugin one can use the hooks --manual-auth-hook and --manual-cleanup-hook to execute external scripts to access the DNS provider’s API.

This wiki page for Certbot shows the list of supported providers and how to structure the command line arguments. For example, I use Nginx as my webserver and Linode as my DNS nameserver.

certbot certonly \
  --dns-linode \
  --dns-linode-credentials ~/.secrets/certbot/linode.ini \
  -d *.exampledomain.com
Reply via Email Buy me a Coffee
Was this useful? Feel free to share: Hacker News Reddit Twitter