[Pdns-users] PowerDNS and automatic wildcard Let's Encrypt certificate renewal
Predrag Mijatovic
predmijat at gmail.com
Mon Oct 1 08:34:44 UTC 2018
Hi,
Not sure how it will look in plain text, so for nice formatting check https://bbs.archlinux.org/viewtopic.php?id=240847 <https://bbs.archlinux.org/viewtopic.php?id=240847>
Here it goes:
I'm trying to set up automatic wildcard Let's Encrypt certificate renewal using PowerDNS and certbot.
I've followed these guides/resources:
- https://doc.powerdns.com/authoritative/ … w-it-works
- https://wiki.archlinux.org/index.php/Certbot
- https://certbot-dns-rfc2136.readthedocs.io/en/latest/
What I did:
mysql -h localhost -u powerdns -pmypass powerdns -e "select * from tsigkeys"
+----+--------+-------------+----------+
| id | name | algorithm | secret |
+----+--------+-------------+----------+
| 1 | cerbot | hmac-sha512 | mysecret |
+----+--------+-------------+----------+
mysql -h localhost -u powerdns -pmypass powerdns -e "select * from domainmetadata"
+----+-----------+----------------------+-----------+
| id | domain_id | kind | content |
+----+-----------+----------------------+-----------+
| 1 | 1 | ALLOW-AXFR-FROM | AUTO-NS |
| 2 | 1 | TSIG-ALLOW-AXFR | certbot |
| 3 | 1 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0 |
| 4 | 1 | TSIG-ALLOW-DNSUPDATE | certbot |
| 5 | 1 | NOTIFY-DNSUPDATE | 1 |
+----+-----------+----------------------+-----------+
Testing it with:
nsupdate -y hmac-sha512:certbot:secret
> server 127.0.0.1
> zone myzone.com
> update add _test.mysite.com. 60 IN TXT "test"
> send
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
> quit
PowerDNS log says:
Packet for domain 'mysite.com' denied: can't find TSIG key with name 'certbot' and algorithm 'hmac-sha512'
If any other info is needed, let me know.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181001/a0766842/attachment.html>
More information about the Pdns-users
mailing list