Ivan Tomica

Wildcard LetsEncrypt SSL/TLS certificate with Bind

Having wildcard SSL certificate can sometimes really help with streamlining vhost creation, where you don’t need to step extra step for issuing new SSL/TLS certificate.

Although I attempt to automate every bit of the infrastructure I manage, and also have certificate issuance automated with my current configuration management system of choice – Ansible, it is still nice to have only one certificate to worry about as it streamlines the whole process of reloading the services after renewal and so on.

If you don’t have the need for Wildcard certificate, then you can use webroot or one of the web-server plugins for certbot to issue an certificate. But should you choose to do the DNS based challenge you might still find this information useful.

There are many DNS services, and for some of them Certbot already has ready-made plugins to perform required challenges, but if you’re using pure Bind, then you need rfc2136 plugin. What it essentially does is that it performs update as described in RFC 2136

Bind preparation

In order for DNS updates from your web server to work you need to properly configure dynamic zone updates. What I opted to use is having separate key called “wildcard-key” generated and set up in Bind configuration. Relevant code blocks below:

key "wildcard-key" {
        algorithm hmac-sha512;
        secret "SECRET_KEY==";

SECRET_KEY in this case is of course your hmac-sha512 key. Once you have the key in place you can allow updates to your DNS zone with that key as shown in the example below. I’ve opted to limit its scope to _acme-challenge subdomain as Certbot shouldn’t require anything else.

zone "tomica.net" {
        type master;
        file "/etc/bind/zones/tomica.me.db";
        allow-transfer {
	update-policy {
		grant wildcard-key name _acme-challenge.tomica.me. txt;

Do note that this will now allow dynamic updates of your DNS zone, so should you want to manually change zone file make sure to freeze the zone before editing it like so:

rndc freeze tomica.me

After making the change you need to unfreeze the zone again with:

rndc thaw tomica.me

This will prompt zone reload in Bind. It goes without saying that you need to have rndc properly configured in order to be able to issue those particular commands :-)

Certbot setup

Now that we have everything prepared on the DNS server end we can configure Certbot. Below are the required settings for the rfc2136 plugin. I’m usually saving those to some folder that only root user has access to. Like for example /root/.rfc2136.ini and I make sure octal permissions are 0600 or something like that.

dns_rfc2136_server = DNS1_IP #(Master DNS)
dns_rfc2136_port = 53
dns_rfc2136_name = wildcard-key
dns_rfc2136_secret = SECRET_KEY==
dns_rfc2136_algorithm = HMAC-SHA512

With that in place as well, I am now able to issue the certificate for the domain. Command goes somewhat like this:

certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /root/.rfc2136.ini --preferred-challenges=dns --email=MY@EMAIL.ADDR --agree-tos -d *.tomica.me -d tomica.me

It is good idea to start command with --dry-run switch first to see if it all goes as planned :-)

Sysadmin on the everlasting journey of learning. Always in search for an opportunity to prove myself and to learn something new. My addiction is learning and my main goal is to excel in every aspect of Linux/Unix system administration.


Leave a Reply

Your email address will not be published. Required fields are marked *