brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8cad36a5487e024d639d25a22e709a668a207c3d
oam/knowledge base/letsencrypt.md
Michele Cereda 81d263417b chore(letsencrypt): create valid certificates
2024-05-08 18:46:32 +02:00

1.8 KiB
Raw Blame History

Let's Encrypt

  1. Challenges
    1. DNS-01 challenge
  2. Further readings
    1. Sources

Challenges

DNS-01 challenge

Requires one to prove one has control over the DNS for one's domain name.
This also allows one to issue wildcard certificates for the domain name in question.

Proof is achieved by creating a TXT record with a specific value under that domain name. The procedure is as follows:

  1. The ACME client requests Let's Encrypt a token.
  2. The client, or anything else capable, creates the TXT record in the DNS at _acme-challenge.{{ domain name }}.
    The value of the record needs to be derived from the token and one's account key.
  3. The client requests Let's Encrypt to query the DNS system for the TXT record.
  4. If Let's Encrypt finds a match, one can proceed to issue a certificate.

This process kinda only makes sense to leverage the DNS-01 challenge type if one's DNS provider allows for automation.

Let's Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation.
As such, one can use CNAME or NS records to delegate answering the challenge to other DNS zones, meaning this can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone.

One can have multiple TXT records in place for the same name.
However, make sure to clean up old TXT records: Let's Encrypt will start rejecting the request if the response size from the DNS gets too big.

Further readings

Sources