Re: Letsencrypt certificates

[Dima Veselov <kab00m%lich.phys.spbu.ru@localhost>]

Greetings,

> I run multiple web servers on several distinct machines in each of four
> different domains, which makes the Letsencrypt proposition very
> attractive.  After trying Certbot without much success, I lit upon
> acme.sh, which offers the possiblity of authentication using
> nsupdate(1).  However the process fails, and the relevant error
> messages says:
> Error add txt for domain:_acme-challenge.prd.co.uk

It is not clear if you already have working DNSSEC key to use with
nsupdate or not. I assume you have one.

Try to use environment variables
export NSUPDATE_SERVER=ns3.prd.co.uk
export NSUPDATE_KEY=key.private

before running acme.sh. Script will take them for updating zone.

To check this you can issue:

# nsupdate -k key.private
> server <server>
>
> update add foo.bar.prd.co.uk 3600 in cname prd.co.uk
>
> update delete foo.bar.prd.co.uk
>

Do not forget additional <enter> after each "update".

> I note that the man page for nsupdate(1) says:
>
> To use a SIG(0) key, the public key must be stored in a KEY record in a zone
> served by the name server.  nsupdate does not read /etc/named.conf.
>
> I am trying to work out whether that means that the keyfile
> contents must be manually added to the zone file, because in
> named.conf I have an include line for update.key which contains the
> path to that key, so it should be there already.

It may not. It is possible to store key in named.conf for named and have 
it in file to use with nsupdate.

> I note that on the acme.sh site there is a long list of *nix-style OSs
> on which success has been reported, but not NetBSD.

I use it on lot of NetBSD servers (7 and 8) for long in production. I 
even told them, but they do not add NetBSD in supported platform.

--
Dima Veselov
Physics R&D Establishment of Saint-Petersburg University