Standalone DNS server plugin for certbot verification
This is a plugin that uses an integrated DNS server to respond to the
_acme-challenge
records, so the domain's records do not have to be
modified.
::
# pip3 install certbot certbot-dns-standalone
::
# snap install certbot certbot-dns-standalone
# snap set certbot trust-plugin-with-root=ok
# snap connect certbot:plugin certbot-dns-standalone
# snap connect certbot-dns-standalone:certbot-metadata certbot:certbot-metadata
::
# apt-get install certbot python3-certbot-dns-standalone
First, you need to pick a central address for certbot, e.g.
acme.example.com
.
Next, the _acme-challenge
records need to be pointed to
$domain.acme.example.com
using CNAME records, e.g. for example.net
:
::
_acme-challenge IN CNAME example.net.acme.example.com.
Finally, you need to point *.acme.example.com
to certbot. There are two
options for that.
Firstly, if you have an IP address with port 53
available, you could
configure it as the nameserver for acme.example.com
:
::
acme IN NS ns.acme.example.com.
ns.acme IN A 1.2.3.4
where 1.2.3.4
is the IP of the server where certbot will be run. This
configuration directs any requests to *.acme.example.com
to 1.2.3.4
where the plugin will respond with the relevant challenge.
Any server can be used as long as port 53
is available which means that
a DNS server cannot be run at that particular IP at the same time.
You can then run certbot as follows:
::
certbot --non-interactive --agree-tos --email [email protected] certonly \
--authenticator dns-standalone \
--dns-standalone-address=1.2.3.4 \
-d example.net -d '*.example.net'
Secondly, if you already run a DNS server you could configure it to forward
all requests to *.acme.example.com
to another IP/port instead where you
would run certbot.
With Knot DNS you can use mod-dnsproxy
:
::
remote:
- id: certbot
address: 127.0.0.1@5555
mod-dnsproxy:
- id: certbot
remote: certbot
fallback: off
zone:
- domain: acme.example.com
module: mod-dnsproxy/certbot
Using this configuration all requests to *.acme.example.com
are directed
to 127.0.0.1
port 5555
.
You can then run certbot as follows:
::
certbot --non-interactive --agree-tos --email [email protected] certonly \
--authenticator dns-standalone \
--dns-standalone-address=127.0.0.1 \
--dns-standalone-port=5555 \
-d example.net -d '*.example.net'
By default the plugin binds to all available interfaces. The validation usually takes less than a second.
To renew the certificates add certbot renew
to crontab
.
First, build the certbot image:
::
docker build -t certbot /path/to/certbot-dns-standalone/
Next, the certificate:
::
docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
-p 8080:80 -p 1.2.3.4:53:53/tcp -p 1.2.3.4:53:53/udp \
certbot certonly
where 1.2.3.4
is the IP address to use for responding the challenges. HTTP
challenges should be directed to port 8080
.
/etc/letsencrypt
and /var/lib/letsencrypt
need to be mapped to
permanent storage.
Parameters can be specified as --dns-standalone-PARAMETER=VALUE
. For older
certbot versions it should be
--certbot-dns-standalone:dns-standalone-PARAMETER=VALUE
.
Supported parameters are:
address
-- IPv4 address to bind to, defaults to 0.0.0.0
ipv6-address
-- IPv6 address to bind to, defaults to ::
port
-- port to use, defaults to 53
The relevant parameters in /etc/letsencrypt/renewal/*.conf
are
dns_standalone_address
, dns_standalone_port
and
dns_standalone_ipv6_address
.
Third party projects integrating certbot-dns-standalone:
CertCache <https://github.com/93million/certcache>
_