-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sun, 2019-06-30 at 12:38 +0300, Lefteris Tsintjelis via bind-users wrote: > Again, no it is not required but only if you do it manually. The idea > here is to automate everything and, unless I am missing something, > there is no other way to do this. There has to be a dynamic zone for > the ACME records.
I wrote some python code to fully automate letsencrypt certificates using certbot certonly --manual -d %s -m %s --agree-tos --no-eff-email --manual-public-ip-logging-ok --preferred-challenges dns in combination with human readable ascii text bind master files. It is not really clean enough to release, and is tied fairly strongly to my environment. But the automation problem is not difficult. proc = subprocess.Popen(c, shell=True, bufsize=4096, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) followed by reading the output of certbot and doing the appropriate operations on the master files with some "rndc reload %s" commands. In my case, the domains are all secured with dnssec, so there are some dnssec-signzone commands in there as well. About 350 lines of python code, but that also includes code to generate the ssl certificates by signing a traditional CSR with a private CA key. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAl0Y4WIACgkQL6j7milTFsHaqwCeO+24sBUTLmKfj/8sv1YAjg3E 5FgAnRuHyKVHnPz7vgIqP6N/iaC/8UjK =ClyC -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
