[[ACME DNS-01]]
Trace: Cume-extServ
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:acme_auto [2021/11/04 20:49]
adminjp [references] 		docpublic:systemes:acme_auto [2021/12/27 21:17] (current)
adminjp [clé DDNS API gandi]
Line 1: Line 1:
-===== ACME ====+===== ACME DNS-01 ==== 
 + 
 +Demonstration de l'usage de l'API LiveDNS de Gandi pour generer automatiquement une validation de requete de certificat au travers d'un defis (challenge) ACME de type DNS-01 .  
 +==== acme.sh ==== 
 + 
 +installation 
 + 
 +  * https://github.com/acmesh-official/acme.sh/wiki/How-to-install 
 + 
 +<code> 
 +[root@vps ~]# mkdir acme 
 +[root@vps ~]# cd acme 
 +[root@vps acme]# wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz 
 +[root@vps acme]# tar zxvf master.tar.gz 
 +acme.sh-master/ 
 +acme.sh-master/.github/ 
 +[root@vps acme]# cd acme.sh-master/ 
 +[root@vps acme.sh-master]# ./acme.sh --install --nocron 
 +[jeu. nov.  4 21:37:30 CET 2021] It is recommended to install socat first. 
 +[jeu. nov.  4 21:37:30 CET 2021] We use socat for standalone server if you use standalone mode. 
 +[jeu. nov.  4 21:37:30 CET 2021] If you don't use standalone mode, just ignore this warning. 
 +[jeu. nov.  4 21:37:30 CET 2021] Installing to /root/.acme.sh 
 +[jeu. nov.  4 21:37:30 CET 2021] Installed to /root/.acme.sh/acme.sh 
 +[jeu. nov.  4 21:37:30 CET 2021] Installing alias to '/root/.bashrc' 
 +[jeu. nov.  4 21:37:30 CET 2021] OK, Close and reopen your terminal to start using acme.sh 
 +[jeu. nov.  4 21:37:30 CET 2021] Installing alias to '/root/.cshrc' 
 +[jeu. nov.  4 21:37:30 CET 2021] Installing alias to '/root/.tcshrc' 
 +[jeu. nov.  4 21:37:30 CET 2021] Good, bash is found, so change the shebang to use bash as preferred. 
 +[jeu. nov.  4 21:37:31 CET 2021] OK 
 +</code> 
 + 
 +À ce stade, le client est installé dans /root/.acme.sh/ et nulle part ailleurs. 
 + 
 + 
 +==== clé DDNS API gandi ==== 
 + 
 +  * https://doc.livedns.gandi.net/ 
 +  * https://api.gandi.net/docs/ 
 +  * https://api.gandi.net/docs/livedns/ 
 + 
 +Générer une clé API sur https://account.gandi.net/fr/ dans l'onglet Sécurité 
 + 
 +[root@vps ~]# export GANDI_LIVEDNS_KEY="SECRETSECRETKEY" 
 + 
 +==== passage en LiveDNS Gandi ==== 
 + 
 +si le domaine est ancien, il est probablemnt sur les anciens serveur de noms gandi (non dynamiques) : 
 +  - a.dns.gandi.net 
 +  - b.dns.gandi.net 
 +  - c.dns.gandi.net 
 + 
 +passage en dynamique :  
 + 
 +{{:docpublic:systemes:gandi-passage-domaine-livedns2021-11-04_23-39-00.png|}} 
 + 
 +==== register email ==== 
 + 
 +<code> 
 +[root@vps ~]#  ~/.acme.sh/acme.sh --register-account -m admin@domain.fr 
 +[jeu. nov.  4 22:45:12 CET 2021] No EAB credentials found for ZeroSSL, let's get one 
 +[jeu. nov.  4 22:45:13 CET 2021] Registering account: https://acme.zerossl.com/v2/DV90 
 +[jeu. nov.  4 22:45:14 CET 2021] Registered 
 +[jeu. nov.  4 22:45:14 CET 2021] ACCOUNT_THUMBPRINT='secret-SECRET-SE-K__CRET' 
 +</code> 
 + 
 + 
 +==== packages curl et jq ==== 
 + 
 +pour lancer les requetes web en cli et parser du json nous avons besoin de ces 2 packages 
 + 
 +<code> 
 +[root@vps ~]# yum install curl jq 
 +</code> 
 + 
 +==== parametres API Gandi ==== 
 + 
 +On postionne les vrariables shell necessaires à l'appel de l'API LiveDNS de Gandi  
 + 
 +<code> 
 +#recuperer notre adresse IP depuis les servers Akamai 
 +MY_IP=$(curl -s http://whatismyip.akamai.com/  
 + 
 +# Gandi livedn API KEY 
 +APIKEY="................." 
 + 
 +# Domain static hebergé chez Gandi  
 +DOMAIN="mondomain.fr" 
 + 
 +# Dynamic Subdomain 
 +SUBDOMAIN="acme" 
 + 
 +#Get the current Zone for the provided domain 
 +CURRENT_ZONE_HREF=$(curl -s -H "X-Api-Key: $APIKEY" https://dns.api.gandi.net/api/v5/domains/$DOMAIN | jq -r '.zone_records_href'
 + 
 +# Update the A reccord of the Dynamic Subdomain by PUTing on the current zone 
 +curl -D- -X PUT -H "Content-Type: application/json"
 +        -H "X-Api-Key: $APIKEY"
 +        -d "{\"rrset_name\": \"$SUBDOMAIN\", 
 +             \"rrset_type\": \"A\", 
 +             \"rrset_ttl\": 1200, 
 +             \"rrset_values\": [\"$MY_IP\"]}"
 +        $CURRENT_ZONE_HREF/$SUBDOMAIN/
 +</code> 
 + 
 +==== exemple d'excution ==== 
 + 
 +exemple complet d'execution 
 + 
 +<code> 
 +[root@vps ~]#  ~/.acme.sh/acme.sh --dns dns_gandi_livedns --issue --keylength 2048 -d wp.mondomain.fr 
 +[lun. nov.  8 22:05:41 CET 2021] Using CA: https://acme.zerossl.com/v2/DV90 
 +[lun. nov.  8 22:05:41 CET 2021] Single domain='wp.mondomain.fr' 
 +[lun. nov.  8 22:05:41 CET 2021] Getting domain auth token for each domain 
 +[lun. nov.  8 22:05:44 CET 2021] Getting webroot for domain='wp.mondomain.fr' 
 +[lun. nov.  8 22:05:44 CET 2021] Adding txt value: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain:  _acme-challenge.wp.mondomain.fr 
 +[lun. nov.  8 22:05:47 CET 2021] Adding record success 
 +[lun. nov.  8 22:05:47 CET 2021] The txt record is added: Success. 
 +[lun. nov.  8 22:05:47 CET 2021] Let's check each DNS record now. Sleep 20 seconds first. 
 +[lun. nov.  8 22:06:08 CET 2021] You can use '--dnssleep' to disable public dns checks. 
 +[lun. nov.  8 22:06:08 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck 
 +[lun. nov.  8 22:06:08 CET 2021] Checking wp.mondomain.fr for _acme-challenge.wp.mondomain.fr 
 +[lun. nov.  8 22:06:08 CET 2021] Domain wp.mondomain.fr '_acme-challenge.wp.mondomain.fr' success. 
 +[lun. nov.  8 22:06:08 CET 2021] All success, let's return 
 +[lun. nov.  8 22:06:08 CET 2021] Verifying: wp.mondomain.fr 
 +[lun. nov.  8 22:06:09 CET 2021] Processing, The CA is processing your order, please just wait. (1/30) 
 +[lun. nov.  8 22:06:12 CET 2021] Success 
 +[lun. nov.  8 22:06:12 CET 2021] Removing DNS records. 
 +[lun. nov.  8 22:06:12 CET 2021] Removing txt: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain: _acme-challenge.wp.domain.fr 
 +[lun. nov.  8 22:06:13 CET 2021] Removing record success 
 +[lun. nov.  8 22:06:13 CET 2021] Removed: Success 
 +[lun. nov.  8 22:06:13 CET 2021] Verify finished, start to sign. 
 +[lun. nov.  8 22:06:13 CET 2021] Lets finalize the order. 
 +[lun. nov.  8 22:06:13 CET 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw/finalize' 
 +[lun. nov.  8 22:06:14 CET 2021] Order status is processing, lets sleep and retry. 
 +[lun. nov.  8 22:06:14 CET 2021] Retry after: 15 
 +[lun. nov.  8 22:06:30 CET 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw 
 +[lun. nov.  8 22:06:31 CET 2021] Downloading cert. 
 +[lun. nov.  8 22:06:31 CET 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/IHUd8SECRET-SECRETuyQ' 
 +[lun. nov.  8 22:06:32 CET 2021] Cert success. 
 +-----BEGIN CERTIFICATE----- 
 +MIIGbjCCBFagAwIBAgIQXCJ7bhctS2//O7AEKEyxjSECRETTTTTTTTTTTTTTTTTT 
 +MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT 
 +TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTEwODAwMDAwMFoXDTIy 
 +MDIwNjIzNTk1OVowGzEZMBcGA1UEAxMQZHdwLmFkYXZvY2F0cy5mcjCCASIwDQYJ 
 +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFs/ZO6adqnKMoiU+6PHL1DTRLqAS1I 
 +2hBbZelSxne8KsvRa5PJEzDWU4FqBwm0Taw5qjqc038Zjx3RY7u6hPsbNiEhEHI8 
 +.... 
 +ZXekr3ynlDwTnwUU3YH5+puEorNDxX8X+wl9l3rAMS3AsVpwm4YgFVLgcWTwoq7Q 
 +mxpL5qTsrSmrn7iaAqFr+3v0GBFLley2j6FHaQnPuvMoVmPK0hliJGGkAer2HZab 
 +cYkq9EZdfAswZX5UYTLNBHcYX0eqYM1ZDFpIF69piusa1rS0BPWaTTo+rIvkiefO 
 +DYRjQRD0hnFd34oTW7J/wo4BZK0Mz+tBq7eDOxR0KM3oUaLg/C+QSECRETTTTTTT 
 +xETgUMXEPkdtUPmM4AJvQYXk 
 +-----END CERTIFICATE----- 
 +[lun. nov.  8 22:06:32 CET 2021] Your cert is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.cer 
 +[lun. nov.  8 22:06:32 CET 2021] Your cert key is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.key 
 +[lun. nov.  8 22:06:32 CET 2021] The intermediate CA cert is in: /root/.acme.sh/wp.mondomain.fr/ca.cer 
 +[lun. nov.  8 22:06:32 CET 2021] And the full chain certs is there: /root/.acme.sh/wp.mondomain.fr/fullchain.cer 
 +</code> 
  
 ==== references ==== ==== references ====
  
   * https://blog.tetsumaki.net/articles/2017/06/generation-des-certificats-lets-encrypt-par-challenge-dns-avec-le-client-acmesh.html   * https://blog.tetsumaki.net/articles/2017/06/generation-des-certificats-lets-encrypt-par-challenge-dns-avec-le-client-acmesh.html
 +  * https://nextnet.top/content/using-gandi-livedns-dynamic-dns-server
   * https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/   * https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/
   * https://www.palabritudes.net/2018/03/11/certbot-challenge-dns-gandi-ovh.html   * https://www.palabritudes.net/2018/03/11/certbot-challenge-dns-gandi-ovh.html
 +  * https://www.heelpbook.net/2021/getting-lets-encrypt-certificate-using-dns-01-challenge-with-acme-dns-certbot-joohoi-or-acme-sh/
   * https://smallstep.com/blog/the-embarrassing-state-of-enterprise-acme/   * https://smallstep.com/blog/the-embarrassing-state-of-enterprise-acme/
  
docpublic/systemes/acme_auto.1636058948.txt.gz · Last modified: 2021/11/04 20:49 by adminjp
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0