Let's Encrypt verifies domain name validity through DNS TXT records

Published: 2021-01-19

letsencrypt dns txt renew HTTPS ssl certbot domain

When we use letsencrypt to obtain the free HTTPS certificate, letsencrypt needs to verify the domain name. By default it authenticates like this:

The certbot program places a file in the root directory of the web directory.
The server of letsencrypt accesses this file through the domain name to verify that the domain name you applied for belongs to you. But sometimes we want to set HTTPS for a certain host on the intranet. Because the host on the intranet cannot be accessed by the server of letsencrypt, an error of Connection refused will occur in certbot --nginx certonly.

In order to solve the above problem, we can change the verification method and use DNS records to verify the domain name.

Use certbot to obtain the certificate

Run the sudo certbot --manual --preferred-challenges dns certonly command, enter the domain name and agree to record the local IP to start obtaining the certificate. Then certbot will pop up the following prompt:

At this time, the certbot program will be paused, waiting for us to add DNS records.

Add DNS TXT record After seeing the above prompt, modify the DNS record of the domain name and add a TXT record. The host name is _acme-challenge, and the content is the random string IMdfdsfsJDqBRyRaaEgPPQlEuvtxJQAgWZTIVbLuzDi8U generated by letsencrypt.
Verification successful After adding the DNS record, we can view the content of the domain name through dig -t txt _acme-challenge.example.com. After the domain name takes effect, press the Enter key in the certbot program and the program will continue to run. letsencrypt successfully verified the DNS record, and the certificate application was successful.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

IMdfdsfsJDqBRyRaaEgPPQlEuvtxJQAgWZTIVbLuzDi8U

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue

Automatic renewal

Now that the DNS record verification is successful, how to automatically renew? After all, letsencrypt is only for 3 months, and it is tiring to have to renew it manually often.

Use the certboot renew command to renew.
The --force-renew parameter represents forced SSL certificate renewal
The --manual-auth-hook parameter represents a custom verification script. The content of my script here is to update the domain name DNS record, which is the TXT record with the host name _acme-challenge mentioned above.
As for how to write the custom script here, you need to look at the DNS service provider. Each DNS service provider is different.

Here is my own update TXT record script, which is only applicable to freedns, {dns_cookie}, {domain_id}, {data_id}. Please modify it yourself.

References

certbot renew --force-renew --manual-auth-hook /root/renewdns.sh

#/bin/bash
echo CERTBOT_VALIDATION = ${CERTBOT_VALIDATION}
curl -b "dns_cookie={dns_cookie}" -d "type=TXT" -d "subdomain=_acme-challenge" -d "domain_id={domain_id}" -d "data_id={data_id}" -d "address=%22${CERTBOT_VALIDATION}%22" https://freedns.afraid.org/subdomain/save.php?step=2
sleep 600