--- /dev/null
+Some providers like to have multiple prefix before it's domain. This is
+problem for Let's Encrypt certificates because we can have just 100 names
+in each certificate, so alternative solution is needed.
+
+This is guide how to configure Let's Encrypt wildcard certificate and
+rewrite every host under it.
+
+
+Install DNS plugin for certbot
+
+# part of stretch backports or buster
+
+dpavlin@mjesec:/srv/via-proxy$ sudo apt install python3-certbot-dns-rfc2136
+
+
+mjesec:/etc/bind# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST p2.vbz.ffzg.hr
+Kp2.vbz.ffzg.hr.+165+16105
+
+mjesec:/etc/bind# tail -5 named.conf.options
+
+key "p2.vbz.ffzg.hr" {
+ algorithm hmac-sha512;
+ secret "Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8n yVkJWpswoyntgJd7YXcsXKZgzKVbpw==";
+}
+
+
+Allow creation of txt records:
+
+diff --git a/bind/named.conf.local b/bind/named.conf.local
+index acc4997..fbc101b 100644
+--- a/bind/named.conf.local
++++ b/bind/named.conf.local
+@@ -41,6 +41,9 @@ zone "knjiznica.ffzg.hr" {
+ zone "vbz.ffzg.hr" {
+ type master;
+ file "/etc/bind/vbz.ffzg.hr.db";
++ update-policy {
++ grant p2.vbz.ffzg.hr zonesub txt;
++ };
+ };
+
+
+Request certificate with dns auth:
+
+mjesec:/etc/letsencrypt# cat credentials.ini
+dns_rfc2136_server = 127.0.0.1
+dns_rfc2136_name = p2.vbz.ffzg.hr
+dns_rfc2136_secret = Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8nyVkJWpswoyntgJd7YXcsXKZgzKVbpw==
+dns_rfc2136_algorithm = HMAC-SHA512
+
+
+dpavlin@mjesec:/srv/via-proxy$ sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/credentials --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136-propagation-seconds 5 -d 'p2.vbz.ffzg.hr' -d '*.p2.vbz.ffzg.hr' -d '*.bmj.com.p2.vbz.ffzg.hr'
+
+
projects / via-proxy / blobdiff