Last week was SUSE Hackweek and one of my projects was to get Let's Encrypt configured and working on my NAS.
Let's Encrypt is a project aimed at providing SSL certificates for free, in an automated way.
I wanted to get a SSL certificate for my Synology NAS. Synology now supports natively Let's Encrypt but only if the NAS accepts incoming HTTP / HTTPS connections (which is not always what you want).
Fortunately, the protocol used by Let's Encrypt to validate a hostname (and generate a certificate), Automatic Certificate Management Environment (ACME) has a alternative validation path, DNS-01, based on DNS.
DNS-01 requires access to your DNS server, so you can add a validation token used by Let's Encrypt server, to ensure you own the domain name you are requesting a certificate for.
There is a lot of ACME implementations, but very few supports DNS-01 validation with my DNS provider (gandi.net).
I ended-up using acme.sh, fully written in shell script and tried to plug Gandi DNS support in it.
After some tests, I discovered Gandi current DNS service is not allowing fast changing DNS zone informations (which is somehow a requirement for DNS-01 validation). Fortunately, Gandi is now providing a new LiveDNS server, available in beta, with a RESTful HTTP API.
I was able to get it working quite rapidly with curl, and once the prototype was working, I've cleaned everything and created a pull request for integrating the support in acme.sh.
Now, my NAS has its own Let's Encrypt certificate and will update it every 90 days automatically. Getting and installing a certificate for another server (running openSUSE Leap) only took me 5 minutes.
This was a pretty productive hackweek !
Monday, February 27, 2017
Hackweek projet: Let's Encrypt DNS-01 validation for acme.sh with Gandi LiveDNS
Labels: acme, General, hackweek, let's encrypt, SUSE
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment