Greetings,
I run multiple web servers on several distinct machines in each of four different domains, which makes the Letsencrypt proposition very attractive. After trying Certbot without much success, I lit upon acme.sh, which offers the possiblity of authentication using nsupdate(1). However the process fails, and the relevant error messages says: Error add txt for domain:_acme-challenge.prd.co.uk
It is not clear if you already have working DNSSEC key to use with nsupdate or not. I assume you have one. Try to use environment variables export NSUPDATE_SERVER=ns3.prd.co.uk export NSUPDATE_KEY=key.private before running acme.sh. Script will take them for updating zone. To check this you can issue: # nsupdate -k key.private > server <server> > > update add foo.bar.prd.co.uk 3600 in cname prd.co.uk > > update delete foo.bar.prd.co.uk > Do not forget additional <enter> after each "update".
I note that the man page for nsupdate(1) says: To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. nsupdate does not read /etc/named.conf. I am trying to work out whether that means that the keyfile contents must be manually added to the zone file, because in named.conf I have an include line for update.key which contains the path to that key, so it should be there already.
It may not. It is possible to store key in named.conf for named and have it in file to use with nsupdate.
I note that on the acme.sh site there is a long list of *nix-style OSs on which success has been reported, but not NetBSD.
I use it on lot of NetBSD servers (7 and 8) for long in production. I even told them, but they do not add NetBSD in supported platform.
-- Dima Veselov Physics R&D Establishment of Saint-Petersburg University