DNS/Domain Validation for LetsEncrypt/ACME client?

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 31

PostPosted: Wed Mar 13, 2019 12:28 am    Post subject: DNS/Domain Validation for LetsEncrypt/ACME client? Reply with quote

I'm trying my first LetsEncrypt implementation and got everything configured, but the Abyss ACME client seems to be going straight to the option of provisioning an HTTP resource, rather than giving the choice of a DNS record. I guess that's likely because Abyss assumes it's serving the web pages, so might as well just use only the HTTP option, but in my case I'm just using Abyss to do redirecting to the actual page, and I'd rather do the DNS method (in this case I have control of the DNS but a separate consultant is the web developer.

Is there any way currently to tell Abyss to use DNS rather than HTTP provisioning?

If not, I'd like to request that be added at some point (and I can transfer this request to the Suggestions forum).

Thanks!
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1295

PostPosted: Thu Mar 21, 2019 4:26 pm    Post subject: Re: DNS/Domain Validation for LetsEncrypt/ACME client? Reply with quote

JohnEDee wrote:
Is there any way currently to tell Abyss to use DNS rather than HTTP provisioning?


This is possible and even required when requesting certificates for wildcard host names (*.example.com).

To do so, open the console, select "Configure" associated with the host you'd like to change the way certificates are issued for. Select "General" and then press "Edit" in front of "Advanced Parameters".

Now press "Edit" in front of "SSL/TLS parameters" and set the challenge type to DNS-01 in "ACME parameters". More about that section in the console is available in https://aprelium.com/data/doc/2/abyssws-win-doc-html/hosts-configuration.html#HOSTS-GENERAL-ADVANCED-SECURELAYER .

When using DNS-01, you'll have to check the ACME-Bot status in the console and perform the required challenge (it will be displayed in clear text.) Once the challenge performed, you should go back to the ACME-Bot status and press a button there to ask the certification authority to proceed. It's an interactive process contrarily to the HTTP validation which is all automatic.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 31

PostPosted: Thu Jan 21, 2021 1:26 am    Post subject: Reply with quote

I'm trying to get my sites to do LetsEncrypt DNS provisioning using a LE wildcard cert, but following these instructions, it's still requesting a specific hostname (i.e. "host.domain.com" rather than "*.domain.com", even when the ACME account is just "domain.com".

How do I force a site to use a wildcard LE cert rather than asking for one for its own hostname?
Back to top View user's profile Send private message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 31

PostPosted: Fri Jan 29, 2021 1:21 am    Post subject: Reply with quote

FYI for anyone running across this thread that wants to (kinda) automate LetsEncrypt wildcard certs with a DNS-01 challenge, I got with Tech Support and apparently Abyss currently can't do this, but it might be considered for a future version.

My temporary solution until Abyss is able to do it internally was to just use a LetsEncrypt client that can do DNS API stuff (in my case, I used the extremely easy-to-use CertifyTheWeb client running on a Windows box) to generate a PKCS#12 (.pfx) wildcard cert and configure a post-generate task to convert it to standard PEM-type .crt and .key files. I shared out the directory where CertifyTheWeb does this and mounted that SMB network volume on my macOS Abyss server, then imported the .crt/.key files into Abyss just like I would any commercial cert.

I will have to update that cert every few months, but I've reached out to Tech Support to see if I can automate that with a shell script to automate the whole hack. :-)

Unfortunately there's nothing like CertifyTheWeb yet on macOS, but if you want to keep it all on a Mac, you could virtualize Windows on the Abyss macOS server with VirtualBox/Parallels/VMWare, or maybe Wine (no Windows license required) and do it all in one place.

If you run Abyss on Windows, you can just install CertifyTheWeb on that same box and pull the cert right off where it gets stored in C:\ProgramData\certify\
Back to top View user's profile Send private message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 31

PostPosted: Sat Mar 04, 2023 8:36 am    Post subject: Reply with quote

It has been a couple of years, so just wanted to check in to see if this feature request might get any love in the near future. :-) I'm still using my workaround to replace the wildcard cert every three months, but it requires some downtime and mass-editing the abyss.conf is always a hold-my-breath experience, so I wondered if we might get the domain-based auth soon.
Back to top View user's profile Send private message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 31

PostPosted: Sat Mar 04, 2023 8:42 am    Post subject: Reply with quote

Forgot that I had posted this in the Suggestions/Ideas section, where there is more information; noting that here for anyone looking for more info on this.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group