Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 [2]

Author Topic: DNS ACME challenge. (Let's encrypt validation)  (Read 72119 times)

PJSalt

  • Newbie
  • *
  • Posts: 3
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #15 on: November 05, 2017, 01:34:22 PM »

Yeah, I also don't like having to store the login credentials of the account in a file like that. A system with an API key would be much better.

Even better would be if we could also limit what the API key can do and assign rights to it. For example: only create/edit/remove TXT records. So that when somebody unauthorized gets a hold of the API key that they can't do too much damage by for example changing A/AAAA records and such.
Logged

PJSalt

  • Newbie
  • *
  • Posts: 3
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #16 on: March 14, 2018, 06:28:28 AM »

Any updates on this? Now that Let's Encrypt has officially launched their v2 API with wildcard support (which only works with the dns-01 challenge method by the way), it would be nice if dns.he.net had an API as well.
« Last Edit: March 14, 2018, 06:48:17 AM by PJSalt »
Logged

TemiD

  • Newbie
  • *
  • Posts: 4
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #17 on: April 24, 2018, 04:46:09 PM »

+1 for Let's Encrypt and API integration. Cloudflare supported the api, but I moved to he.net for the ipv6 cert course. I use a wildcard for my network and manually renewing certs is going to bite.
Logged

beneckema

  • Newbie
  • *
  • Posts: 1
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #18 on: July 16, 2018, 02:40:13 AM »

+1 i like to use an scripted dns-01 challange, so it would be great to use the API like the "dynamic" A and AAAA Records
Logged

mkbloke

  • Newbie
  • *
  • Posts: 4
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #19 on: August 13, 2018, 03:08:38 AM »

+1 for an API supporting TXT records to make Let's Encrypt easy.

Ian
Logged

wrtpoona

  • Newbie
  • *
  • Posts: 4
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #20 on: September 21, 2019, 08:14:47 AM »

+1 for an TXT RR API, any update on this?
Logged

FostWare

  • Newbie
  • *
  • Posts: 1
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #21 on: March 02, 2020, 10:42:35 AM »

+1 for API that doesn't require removing 2FA
Logged

Vazhnov

  • Newbie
  • *
  • Posts: 1
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #22 on: April 11, 2020, 09:49:50 AM »

As I see on title page:

Quote
We're looking into implementing:
  • Expanding our DDNS service to support TXT records

Updated 11.28.2018

But still no news…
Logged

matth1187

  • Newbie
  • *
  • Posts: 17
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #23 on: July 10, 2020, 11:21:38 PM »

 I would've used it if it was available however, someone paranoid convinced me it may be a good idea to keep acme challenges on a separate provider of your main, assuming he, domain. in case your API key /pass gets compromised.

i found luadns.com to be noobishly easy to use and is default supported provider by most acme programs (is mentioned on LE website as a provider easily integrated, free). in addition to API it has a slick gui. create a zone like acme.domain.com. point some ns records from he to there. Then use cname in he. _acme-challenge.www.domain.com-> luadns, www.acme.domain.com. now can be automated and no messing with port 80. HTH!

Logged

jvandenbroek

  • Newbie
  • *
  • Posts: 1
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #24 on: July 20, 2020, 05:02:41 AM »

Was looking for this and found out that it's now actually possible to set DDNS for a TXT record. Just needed some trial and error to get it working:

Code: [Select]
curl -k https://dyn.dns.he.net/nic/update -d "hostname=_acme-challenge.mydomain.com" -d "password=mypassword" -d "txt=somevalue"
« Last Edit: July 20, 2020, 05:06:32 AM by jvandenbroek »
Logged

Com DAC

  • Newbie
  • *
  • Posts: 1
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #25 on: August 02, 2020, 04:38:47 PM »

found that ddns is now possible for txt records (YAY). The things I'm unable to figure out now is how to update the records if you have two of the same txt records? For example if you have a Let's Encrypt certificate for *.domain.ext and domain.ext then you need two txt entries _acme-challenge.domain.ext and _acme-challenge.domain.ext. I can do this manually but when I setup the entries to be dynamic I'm only able to update the last one I updated with a password. Does anyone know if there is a trick for this situation or if this part isn't implemented yet?
Logged

matthiaspfaller

  • Newbie
  • *
  • Posts: 5
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #26 on: August 10, 2020, 04:39:56 AM »

found that ddns is now possible for txt records (YAY). The things I'm unable to figure out now is how to update the records if you have two of the same txt records? For example if you have a Let's Encrypt certificate for *.domain.ext and domain.ext then you need two txt entries _acme-challenge.domain.ext and _acme-challenge.domain.ext. I can do this manually but when I setup the entries to be dynamic I'm only able to update the last one I updated with a password. Does anyone know if there is a trick for this situation or if this part isn't implemented yet?

While the new feature is neat, it just doesn't help us. In order for this to be really use full, we would need to be able to create new ddns txt records without the web interface. But its a very nice fist step.

regards, Matthias
Logged

tjeske

  • Full Member
  • ***
  • Posts: 144
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #27 on: August 11, 2020, 05:14:24 AM »

I know that a dedicated API call would be nice. But I am sure some mediocre programmer is able to code some python module for that :)
Logged

rill

  • Newbie
  • *
  • Posts: 1
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #28 on: January 17, 2021, 02:30:00 PM »

Was looking for this and found out that it's now actually possible to set DDNS for a TXT record. Just needed some trial and error to get it working:

Code: [Select]
curl -k https://dyn.dns.he.net/nic/update -d "hostname=_acme-challenge.mydomain.com" -d "password=mypassword" -d "txt=somevalue"

This works. Only one thing needed for this.
There is an optional parameter for `DDNS` feature to each dns record on the UI. You need to active this feature then generate a secret for that. Use this secret as password in the above command.
Logged

pmarks

  • Newbie
  • *
  • Posts: 2
Re: DNS ACME challenge. (Let's encrypt validation)
« Reply #29 on: September 23, 2022, 11:08:37 PM »

I tried adding the new dynamic TXT API to acme.sh, but the problem is that it cannot support multiple TXT records under the same name, for cases like this:

Code: [Select]
./acme.sh --staging --issue --dns dns_he_dyntxt -d 'test1.he.example.com' -d '*.test1.he.example.com'
Here is my code, but I think it's fundamentally too broken to upstream it:

Code: [Select]
$ cat dnsapi/dns_he_dyntxt.sh
#!/usr/bin/env sh

########################################################################
# Hurricane Electric hook script for acme.sh, with simple dynamic TXT API.
#
# Unlike dns_he.sh, this script does not use your full account password,
# but all _acme-challenge TXT records must be created manually, and these
# records must share the same DDNS key.
#
# Environment variables:
#
#  - $HE_DynTXT_Key - DDNS key for all _acme-challenge TXT records
#

HE_DynTXT_Api="https://dyn.dns.he.net"

########  Public functions #####################

#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_he_dyntxt_add() {
  fulldomain=$1
  txtvalue=$2

  HE_DynTXT_Key="${HE_DynTXT_Key:-$(_readaccountconf_mutable HE_DynTXT_Key)}"

  if [ -z "$HE_DynTXT_Key" ]; then
    HE_DynTXT_Key=""
    _err "You did not specify HE_DynTXT_Key."
    _err "Please log into https://dns.he.net/, create a TXT record for '$fulldomain', and generate a DDNS key."
    _err "The same key should be shared among all TXT records managed by this script."
    _err ""
    return 1
  fi

  #save the DDNS key to the account conf file.
  _saveaccountconf_mutable HE_DynTXT_Key "$HE_DynTXT_Key"

  _info "Updating record $fulldomain"
  if _he_dyntxt_rest POST "nic/update" "hostname=$fulldomain&password=$HE_DynTXT_Key&txt=$txtvalue"; then
    if _contains "$response" "good"; then
      _info "Updated, OK"
      return 0
    elif _contains "$response" "badauth"; then
      _err "TXT record $fulldomain does not exist, or incorrect DDNS key"
      return 1
    fi
  fi
  _err "Update TXT record error."
  return 1
}

#fulldomain txtvalue
dns_he_dyntxt_rm() {
  fulldomain=$1
  txtvalue='""' # Just clear the TXT record.

  HE_DynTXT_Key="${HE_DynTXT_Key:-$(_readaccountconf_mutable HE_DynTXT_Key)}"

  _info "Clearing record $fulldomain"
  if _he_dyntxt_rest POST "nic/update" "hostname=$fulldomain&password=$HE_DynTXT_Key&txt=$txtvalue"; then
    if _contains "$response" "good"; then
      _info "Cleared, OK"
      return 0
    elif _contains "$response" "badauth"; then
      _err "TXT record $fulldomain does not exist, or incorrect DDNS key"
      return 1
    fi
  fi
  _err "Clearing TXT record error."
  return 1
}

#####################  Private functions below ##################################

_he_dyntxt_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"

  if [ "$m" = "POST" ]; then
    _debug data "$data"
    response="$(_post "$data" "$HE_DynTXT_Api/$ep" "" "$m")"
  else
    _err "unimplemented method: $m"
    return 1
  fi

  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
}
Logged
Pages: 1 [2]