[tech] SSL on various services with LetsEncrypt

James Andrewartha trs80 at ucc.gu.uwa.edu.au
Fri Dec 7 23:01:43 AWST 2018 

On Fri, 7 Dec 2018, Mark Tearle wrote:

> On Fri, 7 Dec 2018, at 10:50 AM, Felix von Perger wrote:
> 
>        o  Attempted to migrate AD domain controller host certificates on samson
>            o  Using certbot and custom scripts calling samba-tool to manually update a TXT record for
>               _acme-challenge.ad.ucc.gu.uwa.edu.au
>            o  In order to allow acme to issue a wildcard certificate for *.ad.ucc.gu.uwa.edu.au, the TXT record must be
>               resolvable externally;
>                #  Done by setting allow-recursion {any;} in mooneye:/etc/bind/named.conf.options
>                #  There doesn't seem to be a way to have more fine-grained access control to recursion/forwarding queries
>                   to forward zones while using bind, so this seems like the only option that would work
>                #  It also means that anyone can ask mooneye to do DNS lookups for any domain. Is this a bad thing?!
>            o  It may be possible to request certificates using HTTP port 80 as the proof of ownership mechanism - however
>               we cannot generate wildcard certificates this way.
>                #  Nothing else listens on port 80 on AD DCs
>                #  samson.ad.ucc.gu.uwa.edu.au still needs to be externally resolvable - which can only be done in our
>                   current software configuration by allow-recursion {any;}
> 
> Can you use have the CNAME method for pointing the _acme_challenge elsewhere so you don't have to have recursion turned on?
> 
> https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
> 
> http://strugglers.net/~andy/blog/2018/03/19/lets-encrypt-wildcard-certificates-acme-sh-and-automated-dns-verification/

+1 - I use the acme.sh method used in the second link at work to verify my 
internal-only domains, it works well.

-- 
# TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member     http://trs80.ucc.asn.au/ #|  what squirrels do best     |
[ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
[  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /

More information about the tech mailing list