DNS.HE.NET Topics > General Questions & Suggestions

DNS ACME challenge. (Let's encrypt validation)

(1/6) > >>


I've had a look (used) at the let's encrypt project. it allows everyone to obtain (free) certificates for their website (and other services).
To retrieve a certificate, they require you to validate that you actually control the service/domain.
Two methods exist that allow this validation.

1) Place a challenge accessible on your web site. Port 80 or 433, so the let's encrypt servers can validate that you control the server the certificate points to.
2) Place a challenge inside a TXT record. This has the added advantage that validation can happen for services other then webservers running on port 80/443. (I'm thinking of VPN, alternative port webservers, media servers etc etc).
Validity of let's encrypt certificates is 90 days. Thus renewing of certificates can happen +- every 60 days. Automation is a must.

I would like to use this functionality (DNS validation) for my HE hosted domain. (I believe this question will become more and more frequent)
To make a long story short, can you please extend the dynamic DNS functionality to TXT records? This will allow me to script an update of a TXT record so validation can happen.

(Some more info https://letsencrypt.github.io/acme-spec/#rfc.section.7.4 )
PS: Thank you for providing me with great dynamic DNS for years!

While at it, static CAA records can be another alternative to dynamic TXT records.

example.org. CAA 1 issue "letsencrypt.org" <-- req'd
example.org. CAA 1 iodef "mailto:caa@example.org" <-- currently optional/not yet supported by LE

+1 this would be great. I really want to be able to use LE certs with HE.net dynamic dns. It's already supported by many other DNS providers but no one that rocks the house like HE!

So first of all, i am well aware that this topic is quite old.
However, the issue still persists and HE does not provide an API to update TXT records dynamically.

Therefore i took the time to create a rudimentary  bash script which basically logs into the Website,
parses the actual HTML code (very ugly) and finally updates the desired DNS record.

Use at your own risk, improvements are welcome.
Note, that the _acme-challenge.$host TXT record has to exist beforehand!

--- Code: ---#!/bin/bash

# $1 is supposed to be the hostname
# $2 is supposed to be the acme-response, edited in the TXT record
# Note: The _acme-challenge.$host TXT record has to exist beforehand!


# Get initial cookie from HE.net
wget --save-cookies $cookie --keep-session-cookies -q $HENET

# Log in using your username and password
# store the resulting page
wget --load-cookies $cookie  --post-data "email=$HENET_USERNAME&pass=$HENET_PASS" -q -O $result $HENET

# Every zone has its own key we need to parse, e.g.
# 'alt="delete"  onclick="delete_dom(this);" name="example.org" value="123456789"'
# save in the format 'example.org;123456789'
grep 'alt="delete"  onclick="delete_dom(this);" name="' $result | sed -e 's/.*alt="delete"  onclick="delete_dom(this);" name="//g' -e 's/" value="/;/g' -e 's/".*//g' > $domains

# Find host in domainlist and return key
domain_key=$(awk -v host=$1 -F\; '
host ~ $1 {r=$2}
END {print r}' $domains)

# Every dns entry has its own key we need to parse from the actual domain page
# 'onclick="event.cancelBubble=true;deleteRecord('1103350666','_acme-challenge.www.kleinet.at','TXT')" '
wget --load-cookies $cookie -q -O $result "$HENET?hosted_dns_zoneid=$domain_key&menu=edit_zone&hosted_dns_editzone"
host_key=$(grep "_acme-challenge.$1','TXT')" $result | sed -e 's/.*onclick="event.cancelBubble=true;deleteRecord(.//g' -e "s/','_acme-challenge.$1','TXT').*//g")

# Perform the actual 'edit'
wget --load-cookies $cookie --post-data "menu=edit_zone&Type=txt&hosted_dns_zoneid=$domain_key&hosted_dns_recordid=$host_key&hosted_dns_editzone=1&Name=_acme-challenge.$1&Content=%22$2%22&TTL=600&hosted_dns_editrecord=Update" -q -O $result $HENET

# On success, the Website returns the following String, if you explicitly want to return 0 or 1
# 'Successfully updated record'

rm $cookie $result $domains

--- End code ---

Honestly, i'm posting this to push HE to implement the actual API ;)


--- Quote from: seeed on February 17, 2017, 07:05:30 AM ---...Therefore i took the time to create a rudimentary  bash script which basically logs into the Website,
parses the actual HTML code (very ugly) and finally updates the desired DNS record.

--- End quote ---

When I've had to do things like this, I've used QA automation scripts.  There was a free (i.e., no-charge) QA automation tool available a few years ago when I last needed to do this.  I don't remember its name, but google should be helpful...


[0] Message Index

[#] Next page

Go to full version