<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 22/09/2021 10:54,
<a class="moz-txt-link-abbreviated" href="mailto:informant@trinaxab.se">informant@trinaxab.se</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:fa5de24b64aa875e8fd1117418afd325@trinaxab.se">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-unicode">
<pre class="moz-quote-pre" wrap="">July 9, 2021 5:12 PM, "Brian Candler" <a class="moz-txt-link-rfc2396E" href="mailto:b.candler@pobox.com" moz-do-not-send="true"><b.candler@pobox.com></a> wrote:
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">On 09/07/2021 15:29, <a class="moz-txt-link-abbreviated" href="mailto:informant@trinaxab.se" moz-do-not-send="true">informant@trinaxab.se</a> wrote:
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than
one for each subdomain. I don't know if that changes anything.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">No difference. You just need to be able to insert TXT records in the zone
_acme-challenge.intra.example.com
to get a wildcard cert for *.intra.example.com. (Note that wildcard certs only match one level:
e.g. "accounts.intra.example.com" will match but not "mail.accounts.intra.example.com")
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">How do I set this up? I haven't really worked with DNS on this level before. I find things relating to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure which of those are relevant.
</pre>
</div>
</blockquote>
<p>In short:<br>
</p>
<p>- if you've decided to use PowerDNS as the authoritative server
for intra.example.com, you need to choose a backend which allows
dynamic updates (i.e. not the BIND backend; one of the SQL ones
will be fine)<br>
- you need to enable dynamic updates (e.g. using TSIG or via the
API depending on how you're going to perform the updates)<br>
- you need to configure your ACME client to perform the updates.</p>
<p>For example, "<a moz-do-not-send="true"
href="https://dehydrated.io/">dehydrated</a>" is a shell script
for obtaining certificates, and here's a script which can do <a
moz-do-not-send="true"
href="https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script">TSIG
updates</a>. Here are others which can do <a
moz-do-not-send="true"
href="https://github.com/antoiner77/dehyrated-pdns">direct mysql
updates</a> or <a moz-do-not-send="true"
href="https://github.com/silkeh/pdns_api.sh">API updates</a>.<br>
</p>
<p>I've not tested any of these with PowerDNS (I use bind for
LetsEncrypt as it doesn't need a database), so I'm afraid you need
to put these bits together yourself.</p>
<p>Make sure you point at the LetsEncrypt "staging environment"
while you're testing this, otherwise you'll hit rate limits that
will prevent you making further API calls to LetsEncrypt for
several hours. Once all the challenge/response stuff is working,
then switch to the production environment to get real certs.<br>
</p>
</body>
</html>