DIY dynamic dns and ssl certificates

Use SFTdyn to host your own dynamic dns server. The github page describes the whole setup process so there's no point in going over it again.

This article will show you how you can create a free letsencrypt certificate for these dynamic domains without running a http server on them. ( in case you want to use them for something like a smtp service or a http server that's not supported by the certbot plugins ).

When setting up SFTdyn you configured bind to accept local updates. We'll use the same key for the certbot dns plugin so it can do dns challenges for creating and renewing certificates.

The certbot dns plugin needs a configuration file ( ~/.secrets/certbot/rfc2136.ini ) that looks like this:

# Target DNS server ( always use an ip address here )
dns_rfc2136_server = 12.34.56.78
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name ( this has to be set to local-ddns ) 
dns_rfc2136_name = local-ddns
# TSIG key secret ( get this from the ddns server's /var/run/bind/session.key  ) 
dns_rfc2136_secret = splfUqpteoHQ43DDzGKvMS6L3oCjzv20WpKfhxhgWo0=
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA256

The secret will probably change when you restart bind, so make sure to update the rfc2136.ini file after you do it. Or you can add the contents of the /var/run/bind/session.key file to the named.conf.local file and then change the key's name to something like "remote-key" and then also change the ~/.secrets/certbot/rfc2136.ini file to reflect the name of the new key so you don't have to bother to copy the key every time you restart bind.

When all this is set up just run :

certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini -d <my-domain-name>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.