From 424b8c4a0828d8d5d8f45ce3955c921b8c5e94f8 Mon Sep 17 00:00:00 2001 From: Alex Karle Date: Sun, 2 Jan 2022 00:09:57 -0500 Subject: [PATCH] notes: Add note on manual wildcard DNS w uacme Again, this is *not* a recommendation (hence in notes and not the blog). I have a hunch it'll be useful to understand this when I get around to automating it with a better client though, so here it is! --- gopher/notes/all/wildcard-dns-certs.txt | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 gopher/notes/all/wildcard-dns-certs.txt diff --git a/gopher/notes/all/wildcard-dns-certs.txt b/gopher/notes/all/wildcard-dns-certs.txt new file mode 100644 index 0000000..81e0734 --- /dev/null +++ b/gopher/notes/all/wildcard-dns-certs.txt @@ -0,0 +1,46 @@ +On Obtaining Wildcard DNS Certs +------------------------------- +Sat Jan 1 23:56:53 EST 2022 + +NOTE: I *DO NOT* recommend following this advice in its current +form. I wanted to document it for my future self though, so here +goes. + +I run a small site where I want a wildcard cert so that I can +cover non-public domains. In other words, if the site is +example.com, I want *.example.com so that things like +irc.example.com will have a valid cert even though the IP is +internal-only (behind wireguard). + +Normally, I use acme-client(1) since it's in base OpenBSD and +works great... but to get a wildcard cert it seems necessary to +do a DNS challenge, which isn't supported. + +While I'm sure there's many BETTER ways to do this, I had success +manually obtaining a cert like so, which, in its own right is +interesting to document since it says something about the +process: + + # uacme issue example.com *.example.com + uacme: challenge=dns-01 ident=example.com token=TOKEN key_auth=KEY + uacme: type 'y' followed by a newline to accept challenge, anything else to skip + y + uacme: challenge=http-01 ident=example.com token=TOKEN key_auth=KEY + uacme: type 'y' followed by a newline to accept challenge, anything else to skip + y + +The first prompt whas the DNS challenge--I had to make a TXT +record with the name _acme_challenge.example.com and put the KEY +value there. + +The second was an HTTP challenge--I had to make a file with the +TOKEN name and put the KEY in its contents. The file had to be +accessible from: + + GET example.com/.well-known/acme-challenge/TOKEN + +My understanding is that the HTTP challenge is something +acme-client(1) does, but that the DNS challenge would require +working with a DNS provider that has an API (and a client that +understands it). For now, I've got a valid cert, a new sense of +understanding, and a few months to get the automation in place :) -- libgit2 1.1.1