Re: Letsencrypt certificates
> I am trying to work out whether that means that the keyfile > contents must be manually added to the zone file, because in > named.conf I have an include line for update.key which contains the > path to that key, so it should be there already. Do you also have your zone configured to allow updates (with allow-update or update-policy)? Make sure you can use nsupdate manually at the command line to update the zone without using acme.sh first.
Re: Letsencrypt certificates
I realize I didn't answer your question. You shouldn't need to do all SIG(0) style with KEY record. Ignore that. Use the "key" in named.conf with allow-update or update-policy.
Re: Letsencrypt certificates
Steve Blinkhorn wrote: > I run multiple web servers on several distinct machines in each of four > different domains, which makes the Letsencrypt proposition very > attractive. After trying Certbot without much success, I lit upon > acme.sh, which offers the possiblity of authentication using > nsupdate(1). FWIW, certbot from pkgsrc works for me (py27-certbot-0.27.0 on NetBSD 7.2). -- Andreas Gustafsson, g...@gson.org
Re: Letsencrypt certificates
Isn't it a strange idea to have packages named first for the language they're written in and only second by a name that suggests their function? Is Python a cult, I begin to wonder, forcing people to read through lists of unwanted names in the hope of finding what they want. Come back, L. Ron Hubbard, all is forgiven. Thanks, may give it a try if current approach fails. -- Steve Blinkhorn You wrote: > > Steve Blinkhorn wrote: > > I run multiple web servers on several distinct machines in each of four > > different domains, which makes the Letsencrypt proposition very > > attractive. After trying Certbot without much success, I lit upon > > acme.sh, which offers the possiblity of authentication using > > nsupdate(1). > > FWIW, certbot from pkgsrc works for me (py27-certbot-0.27.0 on NetBSD 7.2). > -- > Andreas Gustafsson, g...@gson.org >
Re: Letsencrypt certificates
Steve Blinkhorn wrote in <20191022172649.d5d52b36...@viking.prd.co.uk>: |Isn't it a strange idea to have packages named first for the language |they're written in and only second by a name that suggests their |function? Is Python a cult, I begin to wonder, forcing people to read |through lists of unwanted names in the hope of finding what they want. |Come back, L. Ron Hubbard, all is forgiven. | |Thanks, may give it a try if current approach fails. I use dehydrated from the very start (when it was named let's encrypt still). It just works ever since, with two short interrupts, because i use an old version which is <40KB. One patch to update to the new protocol that came in a few years back, and one bugfix related to HTTP/2 usage of curl (which then uses lowercase HTTP headers). It only needs bash, openssl, and curl. If you want the version i use, just send a mail. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Letsencrypt certificates
Greetings, I run multiple web servers on several distinct machines in each of four different domains, which makes the Letsencrypt proposition very attractive. After trying Certbot without much success, I lit upon acme.sh, which offers the possiblity of authentication using nsupdate(1). However the process fails, and the relevant error messages says: Error add txt for domain:_acme-challenge.prd.co.uk It is not clear if you already have working DNSSEC key to use with nsupdate or not. I assume you have one. Try to use environment variables export NSUPDATE_SERVER=ns3.prd.co.uk export NSUPDATE_KEY=key.private before running acme.sh. Script will take them for updating zone. To check this you can issue: # nsupdate -k key.private > server > > update add foo.bar.prd.co.uk 3600 in cname prd.co.uk > > update delete foo.bar.prd.co.uk > Do not forget additional after each "update". I note that the man page for nsupdate(1) says: To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. nsupdate does not read /etc/named.conf. I am trying to work out whether that means that the keyfile contents must be manually added to the zone file, because in named.conf I have an include line for update.key which contains the path to that key, so it should be there already. It may not. It is possible to store key in named.conf for named and have it in file to use with nsupdate. I note that on the acme.sh site there is a long list of *nix-style OSs on which success has been reported, but not NetBSD. I use it on lot of NetBSD servers (7 and 8) for long in production. I even told them, but they do not add NetBSD in supported platform. -- Dima Veselov Physics R&D Establishment of Saint-Petersburg University
Re: Letsencrypt certificates
On 10/22, Steve Blinkhorn wrote: > > On 10/22, Andreas Gustafsson wrote: > > FWIW, certbot from pkgsrc works for me (py27-certbot-0.27.0 on NetBSD 7.2). > Isn't it a strange idea to have packages named first for the language > they're written in and only second by a name that suggests their > function? Is Python a cult, I begin to wonder, forcing people to read > through lists of unwanted names in the hope of finding what they want. That is rather strange. If it were a library, I could understand, but when the software is clearly called Certbot at https://certbot.eff.org/ and the distfile is certbot-.tar.gz, it's surprising that the pkgsrc package name is not just certbot. I don't think it's a Python thing since there are packages for programs in pkgsrc written mostly in Python that have not done that. For example, there's devel/mercurial But wait, what?! It seems that devel/mercurial is a meta package that includes devel/py-mercurial So, maybe it *is* a Python thing! That seems really bizarre. pkgsrc Masters, what's the story? Lewis
Re: Letsencrypt certificates
> pkgsrc Masters, what's the story? Because the package is used by other packages. https://www.netbsd.org/docs/pkgsrc/creating.html#creating.python-module Another reason is pkgsrc builder can choose to use different python version so potentially (for some packages) could have the software installed multiple times for different pythons. But I do prefer in this case to just have package called "certbot" available.
Re: Letsencrypt certificates
Problem resolved. The issue turned out to be unwanted quotation marks around the key name in named.conf. The errors messages in both acme.sh and nsupdate were less than helpful (even with an enhanced debug level), but Dima's simple but effective example of how to add and delete an RR gave me an easier way forward than other examples I had seen that were more complex and error prone. I suppose having had a go at Python I might turn my gaze to Perl... -- Steve Blinkhorn You wrote: > > On 10/22, Steve Blinkhorn wrote: > > > On 10/22, Andreas Gustafsson wrote: > > > FWIW, certbot from pkgsrc works for me (py27-certbot-0.27.0 on NetBSD > > > 7.2). > > Isn't it a strange idea to have packages named first for the language > > they're written in and only second by a name that suggests their > > function? Is Python a cult, I begin to wonder, forcing people to read > > through lists of unwanted names in the hope of finding what they want. > > That is rather strange. If it were a library, I could understand, but > when the software is clearly called Certbot at > > https://certbot.eff.org/ > > and the distfile is certbot-.tar.gz, it's surprising that the > pkgsrc package name is not just certbot. > > I don't think it's a Python thing since there are packages for programs > in pkgsrc written mostly in Python that have not done that. For > example, there's > > devel/mercurial > > But wait, what?! It seems that > > devel/mercurial > > is a meta package that includes > > devel/py-mercurial > > So, maybe it *is* a Python thing! That seems really bizarre. > > pkgsrc Masters, what's the story? > > Lewis >