Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-16 Thread Stephane Bortzmeyer
On Sun, Sep 15, 2019 at 07:14:10PM +0200,
 ab...@t-ipnet.net  wrote 
 a message of 12 lines which said:

> There is no need to restart dnsdist.
> 
> /usr/sbin/dnsdist -e 'reloadAllCertificates()'

If you have configured the console. Otherwise:

The currently configured console key is not valid, please configure a valid key 
using the setKey() directive

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist


Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-15 Thread Ask Bjørn Hansen


> On Sep 15, 2019, at 1:40 AM, Stephane Bortzmeyer  wrote:
> 
> DNS challenges? I don't really want to switch my zones to a dynamic
> setup.


For places where adding or changing http was cumbersome or impossible, I setup 
a single dynamic zone just for the acme process.

From the “real” zone you can CNAME the challenge name into the dynamic zone, so 
you don’t have to switch your “real” data to be managed dynamically.


Ask___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist


Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-15 Thread abang


>certbot renew --standalone --deploy-hook
>/usr/local/sbin/restart-dnsdist

There is no need to restart dnsdist.

/usr/sbin/dnsdist -e 'reloadAllCertificates()'

is sufficient

Winfried

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist


Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-15 Thread Stephane Bortzmeyer
On Sun, Sep 15, 2019 at 12:20:46PM +0200,
 Andrew Nimmo  wrote 
 a message of 72 lines which said:

> The acme.sh script has a standalone mode, if you have port 80 open:

Thanks, I forgot about that (and, indeed, port 80 was available).

So I did:

certbot certonly --standalone --domain doh.bortzmeyer.fr

to have the initial certificate.

Then, I configured dnsdist to use
/etc/letsencrypt/live/doh.bortzmeyer.fr/fullchain.pem and then I set
up this for the future renewals:

certbot renew --standalone --deploy-hook /usr/local/sbin/restart-dnsdist

Thanks again.
___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist


Re: [dnsdist] dnsdist and Let's Encrypt (ACME)

2019-09-15 Thread Andrew Nimmo

> On 15 Sep 2019, at 10:40, Stephane Bortzmeyer  wrote:
> 
> [I believe I've checked the available documentation, and found
> nothing. Sorry, if I missed it.]
> 
> My dnsdist setup (DoT and DoH) uses a CAcert certificate and it works
> fine. Now, I would like to move to Let's Encrypt but I do not see how
> to make it work from dnsdist.
> 
> HTTP challenges? I don't think there is an ACME client in dnsdist.
> 
> DNS challenges? I don't really want to switch my zones to a dynamic
> setup.
> 
> Is there an obvious solution I've missed?
> __

The acme.sh script has a standalone mode, if you have port 80 open:

https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert#2-standalone-mode


Regards,

Andrew


Dr Andrew Nimmo

andrew.ni...@gmail.com

___
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist