1 Some providers like to have multiple prefix before it's domain. This is
2 problem for Let's Encrypt certificates because we can have just 100 names
3 in each certificate, so alternative solution is needed.
5 This is guide how to configure Let's Encrypt wildcard certificate and
6 rewrite every host under it.
9 Install DNS plugin for certbot
11 # part of stretch backports or buster
13 dpavlin@mjesec:/srv/via-proxy$ sudo apt install python3-certbot-dns-rfc2136
16 mjesec:/etc/bind# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST p2.vbz.ffzg.hr
17 Kp2.vbz.ffzg.hr.+165+16105
19 mjesec:/etc/bind# tail -5 named.conf.options
21 key "p2.vbz.ffzg.hr" {
22 algorithm hmac-sha512;
23 secret "Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8n yVkJWpswoyntgJd7YXcsXKZgzKVbpw==";
27 Allow creation of txt records:
29 diff --git a/bind/named.conf.local b/bind/named.conf.local
30 index acc4997..fbc101b 100644
31 --- a/bind/named.conf.local
32 +++ b/bind/named.conf.local
33 @@ -41,6 +41,9 @@ zone "knjiznica.ffzg.hr" {
36 file "/etc/bind/vbz.ffzg.hr.db";
38 + grant p2.vbz.ffzg.hr zonesub txt;
43 Request certificate with dns auth:
45 mjesec:/etc/letsencrypt# cat credentials.ini
46 dns_rfc2136_server = 127.0.0.1
47 dns_rfc2136_name = p2.vbz.ffzg.hr
48 dns_rfc2136_secret = Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8nyVkJWpswoyntgJd7YXcsXKZgzKVbpw==
49 dns_rfc2136_algorithm = HMAC-SHA512
52 dpavlin@mjesec:/srv/via-proxy$ sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/credentials --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136-propagation-seconds 5 -d 'p2.vbz.ffzg.hr' -d '*.p2.vbz.ffzg.hr' -d '*.bmj.com.p2.vbz.ffzg.hr'