Letsencrypt with Zonomi and Rimuhosting name servers using hooks

SSL is good, you should use it everywhere!

Letsencrypt it is a project that allows you to obtain signed certificates for free (you should consider donating though) to secure your website. Big efforts have been done to make this accessible to anyone.

In order to issue SSL certificates Certificate Authorities will check that you can control the domain, by either sending validation emails to specific addresses within domain, requesting special files in the website for the domain or setup special DNS records that are checked during the certificate issue, Letsencrypt specially likes to do the latter two. These special files or DNS records are normally called challenges, and if you host DNS zones with Rimuhosting or Zonomi name servers now there is an easy way for you to issue Letsencrypt certificates.

(Photo by Steven Lilley )

We have been busy contributing to the project Lexicon in order to get support for most commonly used letsencrypt clients, dehydrated and certbot, here is what we have to this point that allow you to get dns challenge based certificates issued.

The dns challenges are setup making use of the Zonomi or Rimuhosting dns API.

Before starting make sure you have your dns API key in hand, it can be seen at http://zonomi.com/app/cp/apikeys.jsp and https://rimuhosting.com/cp/apikeys.jsp respectively.

Installing Dehydrated

Installing dehydrated it is quite straight forward:

cd /opt
git clone 'https://github.com/lukas2511/dehydrated.git'
/opt/dehydrated/dehydrated --register --accept-terms

The certificates will end up at /opt/dehydrated/certs/ for each domain, eg:

/opt/dehydrated/certs/DOMAIN.TLD/fullchain-1513034748.pem
/opt/dehydrated/certs/DOMAIN.TLD/privkey-1513034748.pem
/opt/dehydrated/certs/DOMAIN.TLD/cert-1513034748.pem
/opt/dehydrated/certs/DOMAIN.TLD/fullchain.pem
/opt/dehydrated/certs/DOMAIN.TLD/cert-1513034748.csr
/opt/dehydrated/certs/DOMAIN.TLD/cert.csr
/opt/dehydrated/certs/DOMAIN.TLD/privkey.pem
/opt/dehydrated/certs/DOMAIN.TLD/cert.pem
/opt/dehydrated/certs/DOMAIN.TLD/chain.pem
/opt/dehydrated/certs/DOMAIN.TLD/chain-1513034748.pem

Lexicon and Dehydrated

Install lexicon and use the sample hook with dehydrated to issue certs:

pip install dns-lexicon
wget 'https://raw.githubusercontent.com/AnalogJ/lexicon/master/examples/dehydrated.default.sh' -O /opt/dehydrated/lexicon.hook.sh
chmod +x /opt/dehydrated/lexicon.hook.sh
export PROVIDER=zonomi; \
export LEXICON_ZONOMI_TOKEN=XXXXXXXXXXXXXXX; \
/opt/dehydrated/dehydrated --hook /opt/dehydrated/lexicon.hook.sh --challenge dns-01 --cron --accept-terms --domain DOMAIN.TLD

Fill up in the LEXICON_ZONOMI_TOKEN variable your API key, also replace the right domain at DOMAIN.TLD. If you are using rimuhosting name servers, please specify the following environment variable too,  LEXICON_ZONOMI_ENTRYPOINT=rimuhosting :

export PROVIDER=zonomi; \
export LEXICON_ZONOMI_TOKEN=XXXXXXXXXXXXXXX; \
export LEXICON_ZONOMI_ENTRYPOINT=rimuhosting; \
/opt/dehydrated/dehydrated --hook /opt/dehydrated/lexicon.hook.sh --challenge dns-01 --cron --accept-terms --domain DOMAIN.TLD

Renewal

For renewals simply configure the cron with the same sample commands as above, eg:

crontab -e
@monthly export PROVIDER=zonomi; export LEXICON_ZONOMI_TOKEN=XXXXXXXXXXXXXXX; /opt/dehydrated/dehydrated --hook /opt/dehydrated/lexicon.hook.sh --challenge dns-01 --cron --accept-terms --domain DOMAIN.TLD

Make sure you also add to the command the proper service reload, eg: systemctl reload apache2.service

Dehydrated pure bash hook

The following hook can be used without the need of lexicon, but it may be not as feature full, based in the certbot scripts hooks below:

wget 'https://proj.ri.mu/dehydrated.zonomi.hook.sh' -O /opt/dehydrated/dehydrated.zonomi.hook.sh
chmod +x /opt/dehydrated/dehydrated.zonomi.hook.sh
export API_KEY="XXXXXXXXXXX"; \
/opt/dehydrated/dehydrated --cron --accept-terms --challenge dns-01 --hook /opt/dehydrated/dehydrated.zonomi.hook.sh --domain DOMAIN.TLD

Fill up in the API_KEY variable your API key, also replace the right domain at DOMAIN.TLD. If you are using rimuhosting name servers, please specify the following environment variable too,  ​DNS_APIURL :

export DNS_APIURL="https://rimuhosting.com/dns/dyndns.jsp"; \
export API_KEY="XXXXXXXXXXX"; \
/opt/dehydrated/dehydrated --cron --accept-terms --challenge dns-01 --hook /opt/dehydrated/dehydrated.zonomi.hook.sh --domain DOMAIN.TLD

Renewal

For renewals simply configure the cron with the same sample commands as above, eg:

crontab -e
@monthly export API_KEY="XXXXXXXXXXX"; /opt/dehydrated/dehydrated --cron --accept-terms --challenge dns-01 --hook /opt/dehydrated/dehydrated.zonomi.hook.sh --domain DOMAIN.TLD

Make sure you also add to the command the proper service reload, eg: systemctl reload apache2.service

Certbot manual hooks:

If you are keen on using manual hooks with certbot instead, these hooks work but they may be a bit green though. We are doing some work to get zonomi and rimuhosting name servers supported by certbot as a plugin.

mkdir /etc/letsencrypt/manual-hooks
cd /etc/letsencrypt/manual-hooks
wget 'https://proj.ri.mu/certbot-zonomi-authenticator.sh'
wget 'https://proj.ri.mu/certbot-zonomi-authenticator.sh'
chmod +x certbot-zonomi-authenticator.sh certbot-zonomi-cleanup.sh

Edit the file certbot-zonomi-authenticator.sh variables API_KEY and DNS_APIURL with the right configuration, invoke certbot as follows:

certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /etc/letsencrypt/manual-hooks/certbot-zonomi-authenticator.sh \
--manual-cleanup-hook /etc/letsencrypt/manual-hooks/certbot-zonomi-cleanup.sh --manual-public-ip-logging-ok -d DOMAIN.TLD

Certbot handles configuration for the renewals once a cert has been issued correctly, but still you may need to configure services to reload certs.

This entry was posted in HOWTO, Rimuhosting, Security and tagged , , , . Bookmark the permalink.

Leave a Reply