BIND, nsupdate and acme.sh DNS authentication
Brett at BrettDelmage.ca
Thu Jul 23 19:13:06 UTC 2020
On Thu, 23 Jul 2020, Michael De Roover wrote:
> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.
> How they didn't already put certbot in a cron job after the first time
> is beyond me.
To get this topic back on topic for this list:
When you are creating Let's Encrypt wildcard certificates you must use a
DNS authenticiation protocol with letsencrypt. I am using the acme.sh
client which was recommended for wildcard
If you are running your own nameserver you also need to enable dynamic
updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.
However I have found that getting zone dynamic updates (authentication,
specifically) working with nsupdate (which acme.sh uses) and BIND have
been a PITA. I haven't been overly impressed with the debug capabilities
to help get nsupdate working properly.
More information about the bind-users