[Pdns-users] Letsencrypt integration

Brian Candler b.candler at pobox.com
Tue Dec 17 11:54:50 UTC 2024


On 17/12/2024 11:41, Roberto Greiner via Pdns-users wrote:
> is there any documentation on using letsencry´t's certbot automated 
> with PowerDNS for creating wildcard certificates?

Do you definitely need to use certbot? If so, one option might be to use 
RFC2136 dynamic DNS updates with TSIG:

https://doc.powerdns.com/authoritative/dnsupdate.html
https://certbot-dns-rfc2136.readthedocs.io/en/stable/

However, instead of certbot, you could use https://dehydrated.io/ (which 
is just a bash script). I see at least two hooks available which talk to 
the PowerDNS API:

https://github.com/julian7/dehydration-pdns-hook
https://github.com/silkeh/pdns_api.sh

But I haven't tried these. Instead, I put all the letsencrypt DNS 
updates into a separate zone on a separate server, running acme-dns:

https://github.com/joohoi/acme-dns
https://github.com/qvr/acmedns-dehydrated-hook

I then manually insert CNAME records for _acme-challenge into the main 
authoritative DNS at each point where I want a certificate issued. This 
avoids having any dynamic updates in the main zones at all.

HTH,

Brian.



More information about the Pdns-users mailing list