New Feature: DNS-01 Challenge implemented

New feature for utilising DNS-challenge for validation / verification of certificate order.

This guide is used to showcase the DNS-01 challenge newly implemented for validating a domain and obtain a certificate.

The example requires a manual step for updating your DNS server and is not fully automated, but with other tools and applications automated update of DNS records will enable a fully automated use of this validation method.  Eg. pfSenses acme app has built in service providers for many third party DNS hosting services which fully automates obtaining a certificate.

The application utilised in this example is from https://github.com/EnigmaBridge/certbot-external-auth which works quite well.  It is built on python and is installed with the following two packages using pip.

pip install certbot
pip install certbot-external-auth

 

Perform DNS-01 Challenge:

The following command uses your registered account and request a certificate using the certbot-external-auth plugin downloaded.

root@acme:/root# certbot  certonly --configurator certbot-external-auth:out--certbot-external-auth:out-public-ip-logging-ok -d "[YOUR_FQDN]" --server "https://api.buypass.com/acme/directory/"

After issuing this command you will receive a like below which includes a JSON string with the validation string. This is the "validation" string: "validation": "2NNcP-IvsR6xZUi_uwiguPEC0Ikp2h6RkDB9_RRUqco".

This will wait until you hit enter, before proceeding to try and validate the DNS txt record which contains the validation string.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator certbot-external-auth:out, Installer certbot-external-auth:out
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for [YOUR_FQDN]
{"cmd": "perform_challenge", "type": "dns-01", "domain": "[YOUR_FQDN]", "token": "0A046FB763865F6190952A9FED41C393822119E6", "validation": "2NNcP-IvsR6xZUi_uwiguPEC0Ikp2h6RkDB9_RRUqco", "txt_domain": "_acme-challenge.[YOUR_FQDN]", "key_auth": "0A046FB763865F6190952A9FED41C393822119E6.JU5gckExdl3_lwBYP5vPoS6FElTkd_UrVlw7Xf9CjuA"}

 

Update DNS record

Creating a new record for the DNS-01 verification challenge, requires the following string "_acme-challenge" followed by the FQDN. Eg, "_acme-challenge.example.buypass.com", DigitalOcean autocompletes this with the TLD name and in these cases remove the TLD from the string above and it should work.  Example is below from DigitalOcean where this would generate a TXT record for DNS-01 challenge.

  

Finish the DNS-01 challenge

After saving the validation string. Hit enter on the CLI to proceed with the DNS-01 challenge and wait for verification to finish.  If everything is good, the following message should appear stating you've successfully obtianed a certificate.

Waiting for verification...
Cleaning up challenges
{"cmd": "cleanup", "type": "dns-01", "status": "pending", "domain": "[YOUR_FQDN]", "token": "A0CC83DD9D52A9BA4E90D5556F2A5DFB9FF3358A", "validation": "FWeDw9Nfo1IOxHIEFDkFF6-nLD8GJ2uculy1vKWkj54", "key_auth": "A0CC83DD9D52A9BA4E90D5556F2A5DFB9FF3358A.59HGzeN3Q3R2BBsgZ8ZTzY9HXGUfgeyB_cAiI5mg-ec", "validated": null, "error": null}
{"cmd": "report", "messages": [{"priority": 1, "on_crash": true, "lines": ["Congratulations! Your certificate and chain have been saved at:", "/etc/letsencrypt/live/[YOUR_FQDN]/fullchain.pem", "Your key file has been saved at:", "/etc/letsencrypt/live/[YOUR_FQDN]/privkey.pem", "Your cert will expire on 2019-03-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run \"certbot renew\""]}, {"priority": 2, "on_crash": true, "lines": ["If you like Certbot, please consider supporting our work by:", "", "Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate", "Donating to EFF:                    https://eff.org/donate-le", ""]}]}
6replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • The certificate is found in both locations, but my site remains the same (without HTTPS). Can you help me?

    I'm using CentOS 7 with Nginx. I installed the Lemp.

    My site works normally but is without SSL.

     

    Details; https://www.itextpad.com/MrhlNGqAzQ

    Reply Like
    • lserpes Okay, so once you've obtained a certificate. You have to configure your Nginx server to set up HTTPS for your website / domain.  Nginx has documented this process here; http://nginx.org/en/docs/http/configuring_https_servers.html.

      For your site something like this should probably work. Replace all "[FQDN]" with your domain name.  This should redirect HTTP to your HTTPS enabled site which allows certain cipher suites and only TLS v1.2.  Also your root directory, must be set correctly.

      server {
      listen 80 default_server;
      listen [::]:80 default_server;
      server_name [FQDN];
      return 301 https://$server_name$request_uri;
      }
      
      # SSL configuration
      server {
              listen 443 ssl default_server;
              listen [::]:443 ssl default_server;
      
              server_name [FQDN];
      
              root /var/www/html;
      
              ssl_certificate     /etc/letsencrypt/live/[FQDN]/cert.pem;
              ssl_certificate_key /etc/letsencrypt/live/[FQDN]/privkey.pem;
              ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
              ssl_protocols       TLSv1.2;
      }
      Reply Like
  • Dear BuyPass Technical Dept,

    I tried with DNS-01 Challenge validation.

    but the error is as below

    Please solve the below error .

    Thanks

     

    =============================================

    Waiting for verification...
    Cleaning up challenges
    {"cmd": "cleanup", "type": "dns-01", "status": "pending", "domain": "ssl**.****.kr", "token": "55CD56F8E5B88005239084F3219A39B49B06D114", "validation": "7GWQuEKlxdPgfVQtwo8Vb8scLu3Iveo9Qdg_e34S1kE", "key_auth": "55CD56F8E5B88005239084F3219A39B49B06D114.e7lUZ6opjBXHkciwtBljSkZRwFfxriieJzqpkXEjZZ0", "validated": null, "error": null}
    An unexpected error occurred:
    Error: about:blank
    Please see the logfiles in /var/log/letsencrypt for more details.
    {"cmd": "report", "messages": []}

    =============================================


    in the  letsencrypt.log as below

    =============================================

    2018-11-25 02:35:05,679:DEBUG:urllib3.connectionpool:https://api.buypass.com:443 "POST /acme/authz/faQ1McIcTkT42kS8OY-VxY2wG2YGFhw2ybhlhecWmrA/2 HTTP/1.1" 50
    0 89
    2018-11-25 02:35:05,679:DEBUG:acme.client:Received response:
    HTTP 500
    Date: Sun, 25 Nov 2018 02:35:05 GMT
    X-Buypass-Internal-Error-Detail-Code: INTERNAL_SERVER_ERROR
    Content-Type: application/json
    Access-Control-Allow-Origin: https://www.buypass.no
    Access-Control-Allow-Methods: GET,HEAD,POST
    Access-Control-Allow-Credentials: false
    MDC-correlationId: f64db836-74d5-48bb-9ab1-fbc430a13104
    Access-Control-Allow-Headers: Content-Type,Authorization,X-Requested-With,Content-Length,Accept,Origin,X-Buypass-Session-Id,X-Buypass-Locale
    Cache-Control: no-store
    Content-Language: en
    Access-Control-Expose-Headers: Replay-Nonce, Location, Link, Content-Location
    Content-Length: 89

    {"code":500,"message":"INTERNAL_SERVER_ERROR","details":"HTTP 500 Internal Server Error"}
    2018-11-25 02:35:05,680:DEBUG:acme.client:Ignoring wrong Content-Type ('application/json') for JSON Error
    2018-11-25 02:35:05,680:DEBUG:certbot.error_handler:Encountered exception:
    Traceback (most recent call last):
      File "/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
        self._respond(aauthzrs, resp, best_effort)
      File "/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 158, in _respond
        self._send_responses(aauthzrs, resp, chall_update)
      File "/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 191, in _send_responses
        self.acme.answer_challenge(achall.challb, resp)
      File "/usr/local/lib/python2.7/dist-packages/acme/client.py", line 157, in answer_challenge
        response = self._post(challb.uri, response)
      File "/usr/local/lib/python2.7/dist-packages/acme/client.py", line 94, in _post
        return self.net.post(*args, **kwargs)
      File "/usr/local/lib/python2.7/dist-packages/acme/client.py", line 1130, in post
        return self._post_once(*args, **kwargs)
      File "/usr/local/lib/python2.7/dist-packages/acme/client.py", line 1147, in _post_once
        response = self._check_response(response, content_type=content_type)
      File "/usr/local/lib/python2.7/dist-packages/acme/client.py", line 999, in _check_response
        raise messages.Error.from_json(jobj)
    Error: about:blank
     

    Reply Like
    • Hi Daniel 

       

      We have identified the cause of this error.

      The request, made by the acme-client, was rate limited due to too many failed attempts. And this was incorrectly reported as a server-error.

      We are working on fixing this issue.

       

      Regards,

      Andriy

      Reply Like
    • Hi  Daniel

       

      We have fixed some reported bugs.

      The ACME-server will report a rateLimited error once rate limit is exceeded.

       

      Regards,

      Andriy

      Reply Like 1
  • DNS-01 seems to be working fine. Thanks!
    Funny that you mention pfSense tho, as it relies on acme.sh client which didn't seem to quite like your implementation of the ACME server and the RFC draft when I tested it.

    Reply Like
Like2 Follow
  • 2 Likes
  • 3 mths agoLast active
  • 6Replies
  • 340Views
  • 5 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.