[Pdns-users] Letsencrypt integration
Brian Candler
b.candler at pobox.com
Tue Dec 17 11:54:50 UTC 2024
On 17/12/2024 11:41, Roberto Greiner via Pdns-users wrote:
> is there any documentation on using letsencry´t's certbot automated
> with PowerDNS for creating wildcard certificates?
Do you definitely need to use certbot? If so, one option might be to use
RFC2136 dynamic DNS updates with TSIG:
https://doc.powerdns.com/authoritative/dnsupdate.html
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
However, instead of certbot, you could use https://dehydrated.io/ (which
is just a bash script). I see at least two hooks available which talk to
the PowerDNS API:
https://github.com/julian7/dehydration-pdns-hook
https://github.com/silkeh/pdns_api.sh
But I haven't tried these. Instead, I put all the letsencrypt DNS
updates into a separate zone on a separate server, running acme-dns:
https://github.com/joohoi/acme-dns
https://github.com/qvr/acmedns-dehydrated-hook
I then manually insert CNAME records for _acme-challenge into the main
authoritative DNS at each point where I want a certificate issued. This
avoids having any dynamic updates in the main zones at all.
HTH,
Brian.
More information about the Pdns-users
mailing list