You are not logged in.
Hi,
I'm trying to set up automatic wildcard Let's Encrypt certificate renewal using PowerDNS and certbot.
I've followed these guides/resources:
- https://doc.powerdns.com/authoritative/ … w-it-works
- https://wiki.archlinux.org/index.php/Certbot
- https://certbot-dns-rfc2136.readthedocs.io/en/latest/
What I did:
mysql -h localhost -u powerdns -pmypass powerdns -e "select * from tsigkeys"+----+--------+-------------+----------+
| id | name | algorithm | secret |
+----+--------+-------------+----------+
| 1 | cerbot | hmac-sha512 | mysecret |
+----+--------+-------------+----------+mysql -h localhost -u powerdns -pmypass powerdns -e "select * from domainmetadata"+----+-----------+----------------------+-----------+
| id | domain_id | kind | content |
+----+-----------+----------------------+-----------+
| 1 | 1 | ALLOW-AXFR-FROM | AUTO-NS |
| 2 | 1 | TSIG-ALLOW-AXFR | certbot |
| 3 | 1 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0 |
| 4 | 1 | TSIG-ALLOW-DNSUPDATE | certbot |
| 5 | 1 | NOTIFY-DNSUPDATE | 1 |
+----+-----------+----------------------+-----------+Testing it with:
nsupdate -y hmac-sha512:certbot:secret
> server 127.0.0.1
> zone myzone.com
> update add _test.mysite.com. 60 IN TXT "test"
> send
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
> quitPowerDNS log says:
Packet for domain 'mysite.com' denied: can't find TSIG key with name 'certbot' and algorithm 'hmac-sha512'If any other info is needed, let me know.
Thanks
Last edited by predmijat (2018-10-01 10:03:24)
Offline
So yeah, it's "certbot", not "cerbot"...
Offline