From 7004ed91465cbb9547015cfad05936a065a4907b Mon Sep 17 00:00:00 2001 From: csmk Date: Thu, 16 Feb 2017 14:54:52 +0900 Subject: [PATCH 1/4] Add support for Knot DNS API --- dnsapi/dns_knot.sh | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 dnsapi/dns_knot.sh diff --git a/dnsapi/dns_knot.sh b/dnsapi/dns_knot.sh new file mode 100644 index 00000000..b6d1e0b6 --- /dev/null +++ b/dnsapi/dns_knot.sh @@ -0,0 +1,95 @@ +#!/usr/bin/env sh + +######## Public functions ##################### + +#Usage: dns_knot_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_knot_add() { + fulldomain=$1 + txtvalue=$2 + _checkKey || return 1 + [ -n "${KNOT_SERVER}" ] || KNOT_SERVER="localhost" + # save the dns server and key to the account.conf file. + _saveaccountconf KNOT_SERVER "${KNOT_SERVER}" + _saveaccountconf KNOT_KEY "${KNOT_KEY}" + + if ! _get_root "$fulldomain"; then + _err "Domain does not exist." + return 1 + fi + + _info "Adding ${fulldomain}. 60 TXT \"${txtvalue}\"" + + knsupdate -y "${KNOT_KEY}" < Date: Thu, 16 Feb 2017 16:00:42 +0900 Subject: [PATCH 2/4] Add instructions on how to use the Knot DNS API --- dnsapi/README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/dnsapi/README.md b/dnsapi/README.md index 6a86bf4c..fbbf1728 100644 --- a/dnsapi/README.md +++ b/dnsapi/README.md @@ -305,6 +305,52 @@ Note that you cannot use acme.sh automatic DNS validation for FreeDNS public dom you create under a FreeDNS public domain. You must own the top level domain in order to automaitcally validate with acme.sh at FreeDNS. +## 16. Use Knot (knsupdate) DNS API to automatically issue cert + +First, generate a TSIG key for updating the zone. + +``` +keymgr tsig generate acme_key algorithm hmac-sha512 > /etc/knot/acme.key + +``` + +Include this key in your knot configuration file. + +``` +include: /etc/knot/acme.key +``` + +Next, configure your zone to allow dynamic updates. + +Dynamic updates for the zone are allowed via proper ACL rule with the `update` action. For in-depth instructions, please see [Knot DNS's documentation](https://www.knot-dns.cz/documentation/). + +``` +acl: + - id: acme_acl + address: 192.168.1.0/24 + key: acme_key + action: update + +zone: + - domain: example.com + file: example.com.zone + acl: acme_acl +``` + +Finally, make the DNS server and TSIG Key available to `acme.sh` + +``` +export KNOT_SERVER="dns.example.com" +export KNOT_KEY=`grep \# /etc/knot/acme.key | cut -d' ' -f2` +``` + +Ok, let's issue a cert now: +``` +acme.sh --issue --dns dns_knot -d example.com -d www.example.com +``` + +The `KNOT_SERVER` and `KNOT_KEY` settings will be saved in `~/.acme.sh/account.conf` and will be reused when needed. + # Use custom API If your API is not supported yet, you can write your own DNS API. From 28a2907cfb13578f8be55c2b6ef117478d8d2170 Mon Sep 17 00:00:00 2001 From: csmk Date: Thu, 16 Feb 2017 16:06:12 +0900 Subject: [PATCH 3/4] Remove unnecessary line --- dnsapi/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/README.md b/dnsapi/README.md index fbbf1728..4d855e7d 100644 --- a/dnsapi/README.md +++ b/dnsapi/README.md @@ -311,7 +311,6 @@ First, generate a TSIG key for updating the zone. ``` keymgr tsig generate acme_key algorithm hmac-sha512 > /etc/knot/acme.key - ``` Include this key in your knot configuration file. From d471d57bd4bf1f746dbd0e293be7e4bf404c9bf0 Mon Sep 17 00:00:00 2001 From: csmk Date: Thu, 16 Feb 2017 16:32:27 +0900 Subject: [PATCH 4/4] Added support for Knot DNS API --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f1c74806..17b47621 100644 --- a/README.md +++ b/README.md @@ -272,6 +272,7 @@ You don't have to do anything manually! 1. Alwaysdata.com API 1. Linode.com API 1. FreeDNS (https://freedns.afraid.org/) +1. Knot DNS API **More APIs coming soon...**