Skip to content

Instantly share code, notes, and snippets.

@nikooo777

nikooo777/Certbot Authentication - HTTP to DNS.md

Last active January 11, 2019 12:34
Show Gist options
  • Save nikooo777/c2b404b40a5d4e9312b2cd840281c477 to your computer and use it in GitHub Desktop.
Save nikooo777/c2b404b40a5d4e9312b2cd840281c477 to your computer and use it in GitHub Desktop.
Download ZIP
How to convert a Certbot certificate configuration based on HTTP authentication to DNS based authentication
Raw
Certbot Authentication - HTTP to DNS.md

HTTP Authentication to DNS Authentication - Certbot (Letsencrypt)

Introduction

Certbot now supports DNS authentication and you probably already know that!

Official documentation here

While upgrading the infrastructure at LBRY, the company I work for, I had the necessity of changing certbot renewals from HTTP auth to DNS auth.

A quick google search didn't bring any results for my simple question "How to convert a Certbot certificate configuration based on HTTP authentication to DNS based authentication" (hint: that's too long to be used as search key!) so I thought I'd write up this simple guide.

This article will walk you through the simple steps of porting your old certificates from HTTP authentication to DNS authentication.

Requirements

You will need API access to your DNS provider. We use cloudflare (a certbot supported provider).

You need to add your own DNS configuration to the server. Here ahead is an example:

content of /etc/letsencrypt/cloudflare_credentials.ini

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = yourcloudflare@email.com
dns_cloudflare_api_key = yourcoolapikey

Configuration changes

You must repeat the following step for each domain you have.

Find and edit the domain configuration

You should be able to locate the configuration of your domain here: /etc/letsencrypt/renewal/cool.subdomain.com.conf

Open the file for editing. You should be presented with something similar

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/cool.subdomain.com/cert.pem
privkey = /etc/letsencrypt/live/cool.subdomain.com/privkey.pem
chain = /etc/letsencrypt/live/cool.subdomain.com/chain.pem
fullchain = /etc/letsencrypt/live/cool.subdomain.com/fullchain.pem
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/cool.subdomain.com

# Options and defaults used in the renewal process
[renewalparams]
authenticator = webroot
account = COOLACCOUNTID
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
cool.subdomain.com = /var/www/html/

Edit the version and the renewalparams block so that your configuration looks like this

NB: you can get the version by typing certbot --version

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/cool.subdomain.com
cert = /etc/letsencrypt/live/cool.subdomain.com/cert.pem
privkey = /etc/letsencrypt/live/cool.subdomain.com/privkey.pem
chain = /etc/letsencrypt/live/cool.subdomain.com/chain.pem
fullchain = /etc/letsencrypt/live/cool.subdomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
dns_cloudflare_propagation_seconds = 30
server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_credentials = /etc/letsencrypt/cloudflare_credentials.ini
authenticator = dns-cloudflare
account = COOLACCOUNTID

Save and close the file.

Testing

If you were succesful you should be able to run certbot renew --dry-run

Output example:

root@coolserver:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cool.subdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for cool.subdomain.com
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/cool.subdomain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/cool.subdomain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Conclusions

Congratulations, you succesfully reconfigured your certificates. You can go back to your daily routine now :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment