You are not logged in.

#1 2018-09-29 22:25:48

predmijat
Member
Registered: 2014-09-30
Posts: 39

[SOLVED] PowerDNS and automatic wildcard Let's Encrypt certifica...

Hi,

I'm trying to set up automatic wildcard Let's Encrypt certificate renewal using PowerDNS and certbot.

I've followed these guides/resources:
- https://doc.powerdns.com/authoritative/ … w-it-works
- https://wiki.archlinux.org/index.php/Certbot
- https://certbot-dns-rfc2136.readthedocs.io/en/latest/

What I did:

mysql -h localhost -u powerdns -pmypass powerdns -e "select * from tsigkeys"
+----+--------+-------------+----------+
| id | name   | algorithm   | secret   |
+----+--------+-------------+----------+
|  1 | cerbot | hmac-sha512 | mysecret |
+----+--------+-------------+----------+
mysql -h localhost -u powerdns -pmypass powerdns -e "select * from domainmetadata"
+----+-----------+----------------------+-----------+
| id | domain_id | kind                 | content   |
+----+-----------+----------------------+-----------+
|  1 |         1 | ALLOW-AXFR-FROM      | AUTO-NS   |
|  2 |         1 | TSIG-ALLOW-AXFR      | certbot   |
|  3 |         1 | ALLOW-DNSUPDATE-FROM | 0.0.0.0/0 |
|  4 |         1 | TSIG-ALLOW-DNSUPDATE | certbot   |
|  5 |         1 | NOTIFY-DNSUPDATE     | 1         |
+----+-----------+----------------------+-----------+

Testing it with:

nsupdate -y hmac-sha512:certbot:secret
> server 127.0.0.1
> zone myzone.com
> update add _test.mysite.com. 60 IN TXT "test"
> send
; TSIG error with server: expected a TSIG or SIG(0)
update failed: REFUSED
> quit

PowerDNS log says:

Packet for domain 'mysite.com' denied: can't find TSIG key with name 'certbot' and algorithm 'hmac-sha512'

If any other info is needed, let me know.

Thanks

Last edited by predmijat (2018-10-01 10:03:24)

Offline

#2 2018-10-01 10:02:45

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] PowerDNS and automatic wildcard Let's Encrypt certifica...

So yeah, it's "certbot", not "cerbot"...

Offline

Board footer

Powered by FluxBB