alexkarle.com

Source for alexkarle.com
git clone git://git.alexkarle.com/alexkarle.com.git
Log | Files | Refs | README | LICENSE

commit 424b8c4a0828d8d5d8f45ce3955c921b8c5e94f8 (patch)
parent 55cd30e6c22a1e77111b7b8e64386e410c7dcded
Author: Alex Karle <alex@alexkarle.com>
Date:   Sun,  2 Jan 2022 00:09:57 -0500

notes: Add note on manual wildcard DNS w uacme

Again, this is *not* a recommendation (hence in notes and not the
blog). I have a hunch it'll be useful to understand this when I
get around to automating it with a better client though, so here
it is!

Diffstat:
Agopher/notes/all/wildcard-dns-certs.txt | 46++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+), 0 deletions(-)

diff --git a/gopher/notes/all/wildcard-dns-certs.txt b/gopher/notes/all/wildcard-dns-certs.txt @@ -0,0 +1,46 @@ +On Obtaining Wildcard DNS Certs +------------------------------- +Sat Jan 1 23:56:53 EST 2022 + +NOTE: I *DO NOT* recommend following this advice in its current +form. I wanted to document it for my future self though, so here +goes. + +I run a small site where I want a wildcard cert so that I can +cover non-public domains. In other words, if the site is +example.com, I want *.example.com so that things like +irc.example.com will have a valid cert even though the IP is +internal-only (behind wireguard). + +Normally, I use acme-client(1) since it's in base OpenBSD and +works great... but to get a wildcard cert it seems necessary to +do a DNS challenge, which isn't supported. + +While I'm sure there's many BETTER ways to do this, I had success +manually obtaining a cert like so, which, in its own right is +interesting to document since it says something about the +process: + + # uacme issue example.com *.example.com + uacme: challenge=dns-01 ident=example.com token=TOKEN key_auth=KEY + uacme: type 'y' followed by a newline to accept challenge, anything else to skip + y + uacme: challenge=http-01 ident=example.com token=TOKEN key_auth=KEY + uacme: type 'y' followed by a newline to accept challenge, anything else to skip + y + +The first prompt whas the DNS challenge--I had to make a TXT +record with the name _acme_challenge.example.com and put the KEY +value there. + +The second was an HTTP challenge--I had to make a file with the +TOKEN name and put the KEY in its contents. The file had to be +accessible from: + + GET example.com/.well-known/acme-challenge/TOKEN + +My understanding is that the HTTP challenge is something +acme-client(1) does, but that the DNS challenge would require +working with a DNS provider that has an API (and a client that +understands it). For now, I've got a valid cert, a new sense of +understanding, and a few months to get the automation in place :)