Kategorier
Okategoriserade

Automating Certbot DNS validation with LoopiaDNS (Let’s Encrypt)

Let’s Encrypt is a free, automated, and open Certificate Authority, and it is really great! Automatic renewal has really changed how we think about host certificates in our servers.

The primary automation client for Let’s Encrypt is certbot, and is can easily help you with securing your web site with HTTPS if you run one of the major web servers.

I wanted to secure my own servers that fall outside the category “major web service”, so I needed to do some hacking myself. This post is about how to validate your certificate request using DNS records when you are using Loopia as DNS hosting.

It’s outside the scope of this post, but the services I have managed use with Lets Encrypt is:

  • Plex Media Server
  • Ubiquiti VMS (Unifi Video)
  • Home Assistant

About certificate validation

When you request a certificate for a domain name, lets say www.mumindalen.nu, Lets Encrypts ask you do validate that you have control of the domain. This is called a challenge.

There are two types of challenges, HTTP or DNS. In the first case you simply put a specific text file under a specific URL on your web server, and certbot can do this for you.

But this require that your server is exposed to the internet!

For offline servers (or servers behind a VPN) I find it easier to use the DNS challenge. In this case you prove that you own the domain by entering a specific DNS record (a TXT record to be more specific).

There are some disadvantages with DNS over HTTP, primarily caching. Its quite common that changes you make to your DNS can take a long time to be seen on the Internet.

My DNS hosting company Loopia has a really great DNS service, changes can normally be seen within a few seconds. And they also provide an API to set DNS records programmatically, so they work really great with Lets Encrypt.

How to get started

The basic process:

  1. Install certbot on your system. Use apt-get, yum or whatever runs on you platform.
  2. Go to Loopia and create a Loopia API user. The user needs permission to the addZoneRecord and removeSubdomain commands only.
  3. Download and extract the zip file below.
  4. Set execution flag for all the scripts in the folder (chmod a+x *).
  5. Run certbot-ini script. This will configure your Loopia credentials and request a new certificate, and also add a renewal check into your crontab.

Download

image

Additional information

Explanation of the files:

  • certbot-init is a one-time-configuration script. Just make sure that you have all the scripts in the right place before you run this, its not an installation script.
  • certbot-auth-hook will be run when a certificate needs to be validated. It will call the loopia-api script with the addZoneRecord command.
  • certbot-cleanup-hook will be run after the certificate has been validated. It will again call the loopia-api script, but with the removeSubdomain command.
  • loopia-api is the actual LoopiaDNS stuff. It will create an XML string and call the XMLRPX endpoint for LoopiaDNS. All the XLM strings will be logged into the folder for debugging purposes.
  • loopia-config stores your username and password. If you move your stuff to another server, bring this file, but do not give it to someone else.

Debugging:

You will need debugging! All XMLRPC calls will be logged into the script folder. A request file is generated for each command (addZoneRecord and removeSubdomain), and the response file contains the response from Loopia.

Make sure to investigate this files when it doesn’t work. Also remember that for some problems the response will be OK, and yet nothing happens.

7 svar på ”Automating Certbot DNS validation with LoopiaDNS (Let’s Encrypt)”

Men 🙁
Från Loopia
Nu uppgraderar vi LoopiaAPI
Den 23 februari 2022 kommer vi att uppgradera våra servrar och förbättra LoopiaAPI

Så nu fungerar inte detta utmärkta längre
Med Vänliga Hälsningar
Roger

Line below needs to be removed from loopia-api after Loopia API update 2022-02-23
XML=”$XML”

Det är alltså rad 41 som behöver raderas.
Svar från Loopia Secondline Support:
————————————–
I den nya versionen så kan inte kunden skicka med ett kundnummer som en parameter, vilket gör att de som skickar med detta, eller skickar med en tom sträng får ett felmeddelande (oftast error 623).
Undantaget här är återförsäljare som fortfarande behöver skicka med kundnummer när de gör anrop mot sina kunders konton.

Stort tack för felsökningen Roger.

Jag har inte så stor koll på den här gamla bloggen, jag upptäckte detta när min egen Certbot slutade funka. 🙂

Nu jag har uppdaterat ZIP-filen, så att det funkar med nya LoopiaAPI!

Svara

Lämna ett svar

Din e-postadress kommer inte publiceras. Obligatoriska fält är märkta *