[tech] SSL on various services with LetsEncrypt
Mark Tearle
mtearle at ucc.asn.au
Fri Dec 7 20:48:04 AWST 2018
On Fri, 7 Dec 2018, at 10:50 AM, Felix von Perger wrote:
>
> * Attempted to migrate AD domain controller host certificates on
> samson
> * Using certbot and custom scripts calling samba-tool to manually
> update a TXT record for _acme-challenge.ad.ucc.gu.uwa.edu.au
> * In order to allow acme to issue a wildcard certificate for
> *.ad.ucc.gu.uwa.edu.au, the TXT record must be resolvable
> externally;
> * Done by setting allow-recursion {any;} in
> mooneye:/etc/bind/named.conf.options
> * There doesn't seem to be a way to have more fine-grained access
> control to recursion/forwarding queries to forward zones while
> using bind, so this seems like the only option that would work
> * It also means that anyone can ask mooneye to do DNS lookups for
> any domain. Is this a bad thing?!
> * It may be possible to request certificates using HTTP port 80 as
> the proof of ownership mechanism - however we cannot generate
> wildcard certificates this way.
> * Nothing else listens on port 80 on AD DCs
> * samson.ad.ucc.gu.uwa.edu.au still needs to be externally
> resolvable - which can only be done in our current software
> configuration by allow-recursion {any;}
Can you use have the CNAME method for pointing the _acme_challenge
elsewhere so you don't have to have recursion turned on?
https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
http://strugglers.net/~andy/blog/2018/03/19/lets-encrypt-wildcard-certificates-acme-sh-and-automated-dns-verification/
Mark
--
Mark Tearle - mtearle at ucc.asn.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20181207/7f63616e/attachment.htm
More information about the tech
mailing list