Let’s Encrypt is a free, automated, and open Certificate Authority, and it is really great! Automatic renewal has really changed how we think about host certificates in our servers.
The primary automation client for Let’s Encrypt is certbot, and is can easily help you with securing your web site with HTTPS if you run one of the major web servers.
I wanted to secure my own servers that fall outside the category “major web service”, so I needed to do some hacking myself. This post is about how to validate your certificate request using DNS records when you are using Loopia as DNS hosting.
It’s outside the scope of this post, but the services I have managed use with Lets Encrypt is:
- Plex Media Server
- Ubiquiti VMS (Unifi Video)
- Home Assistant
About certificate validation
When you request a certificate for a domain name, lets say www.mumindalen.nu, Lets Encrypts ask you do validate that you have control of the domain. This is called a challenge.
There are two types of challenges, HTTP or DNS. In the first case you simply put a specific text file under a specific URL on your web server, and certbot can do this for you.
But this require that your server is exposed to the internet!
For offline servers (or servers behind a VPN) I find it easier to use the DNS challenge. In this case you prove that you own the domain by entering a specific DNS record (a TXT record to be more specific).
There are some disadvantages with DNS over HTTP, primarily caching. Its quite common that changes you make to your DNS can take a long time to be seen on the Internet.
My DNS hosting company Loopia has a really great DNS service, changes can normally be seen within a few seconds. And they also provide an API to set DNS records programmatically, so they work really great with Lets Encrypt.
How to get started
The basic process:
- Install certbot on your system. Use apt-get, yum or whatever runs on you platform.
- Go to Loopia and create a Loopia API user. The user needs permission to the addZoneRecord and removeSubdomain commands only.
- Download and extract the zip file below.
- Set execution flag for all the scripts in the folder (chmod a+x *).
- Run certbot-ini script. This will configure your Loopia credentials and request a new certificate, and also add a renewal check into your crontab.
Explanation of the files:
- certbot-init is a one-time-configuration script. Just make sure that you have all the scripts in the right place before you run this, its not an installation script.
- certbot-auth-hook will be run when a certificate needs to be validated. It will call the loopia-api script with the addZoneRecord command.
- certbot-cleanup-hook will be run after the certificate has been validated. It will again call the loopia-api script, but with the removeSubdomain command.
- loopia-api is the actual LoopiaDNS stuff. It will create an XML string and call the XMLRPX endpoint for LoopiaDNS. All the XLM strings will be logged into the folder for debugging purposes.
- loopia-config stores your username and password. If you move your stuff to another server, bring this file, but do not give it to someone else.
You will need debugging! All XMLRPC calls will be logged into the script folder. A request file is generated for each command (addZoneRecord and removeSubdomain), and the response file contains the response from Loopia.
Make sure to investigate this files when it doesn’t work. Also remember that for some problems the response will be OK, and yet nothing happens.