starred/win-acme-win-acme
1
0
Fork 0
mirror of https://github.com/win-acme/win-acme.git synced 2026-04-27 03:55:56 +03:00
Code Issues Projects Packages Wiki Activity
Page: DNS validation plugins
Pages
A specified logon session does not exist Advanced logging Advanced usage Apache 2.4 basic usage Application Logging Application Settings Azure DNS validation Basic usage CSR Plugins Command Line Arguments Command line Create a SAN certificate Custom plugins DNS validation plugins Development Enhancement voting Example Scripts HTTP Validation Plugins HTTPS Binding With Specific IP Home How To Run How to Compile From Source Code IIS 7.5 and Lower Install script Installation plugins Issues and workarounds Load balancing Microsoft Exchange Microsoft Remote Desktop Server Migration to v1.9.5 Migration to v1.9.9 Migration to v2.0.0 Missing Certificate Chain Plugins Renewal Management Store plugins Target plugins Task Scheduler Uninstall instructions Upgrades Validation issues Validation plugins web_config.xml
10 DNS validation plugins
Wouter Tinus edited this page 2019-05-30 13:12:47 +02:00
Table of Contents

Add a specified TXT record to the hosts' DNS.

Built-in plugins

acme-dns

  • Use an acme-dns server to handle the validation records. The plugin will ask you to choose an endpoint to use. For testing the https://auth.acme-dns.io/ endpoint is useful, but it is a security concern. As the readme of that project clearly states: "You are encouraged to run your own acme-dns instance."
  • Unattended: not supported.

Manual

  • The client will show the record that is supposed to be created on screen and it will have to be created manually by whatever means necessary. Obviously not good for unattended operation but it might be a stop gap.
  • Unattended: not supported.

Script

  • Run script to create and update records
  • A script to create the DNS record must be provided with --dnscreatescript
    • The arguments passed to the script will be create {Identifier} {RecordName} {Token} by default, with
      1. create fixed value
      2. {Identifier} - host name that's being validated
      3. {RecordName} - full name of the TXT record that is being expected
      4. {Token} - content of the TXT record
    • The order and format of arguments may be customized with the --dnscreatescriptarguments argument or from the interface
  • Optionally, another script may be provided to delete the record after validation
    • This may be the same file on disk, in which case it can be provided as --dnsscript rather than repeating yourself with --dnscreatescript and --dnsdeletescript
    • The arguments passed to the script will be delete {Identifier} {RecordName} {Token} by default
    • The order and format of arguments may be customized with the --dnsdeletescriptarguments argument or from the interface
  • Examples
    • --validationmode dns-01 --validation dnsscript --dnsscript C:\dnshandler.bat
    • --validationmode dns-01 --validation dnsscript --dnscreatescript C:\dnscreate.bat
    • --validationmode dns-01 --validation dnsscript --dnscreatescript C:\dnscreate.bat --dnsdeletescript C:\dnsdelete.bat

A lot of good example scripts are available from the POSH-ACME project. The page about installation scripts contains instructions on how to run Powershell scripts from a .bat file.

Separately downloadable plugins

The following plugins are offered as separate downloads, which have to be unpacked into the main program folder to able to use them. Note that after unpacking you will have to unblock them for the .NET CRL to trust them. You can do that from the Windows File Explorer by using the right mouse button and then checking the Unblock box on the General tab.

image

Azure

  • Create the record in Azure.
  • Documented separately here.
  • Unattended --validation azure --validationmode dns-01 --azuretenantid x --azureclientid x --azuresecret *** --azuresubscriptionid x --azureresourcegroupname x

Route53

  • Create the record in Amazon Route53
  • Requires permissions route53:GetChange, route53:ListHostedZones and route53:ChangeResourceRecordSets
  • Can authenticate in two ways:
    • User credential
      • Unattended --validation route53 --validationmode dns-01 --route53accesskeyid x --route53secretaccesskey ***
    • IAM role
      • Unattended --validation route53 --validationmode dns-01 --route53iamrole x

Dreamhost

  • Update record for Dreamhost
  • Unattended --validation dreamhost --validationmode dns-01 --apikey x

Please refer to https://pkisharp.github.io/win-acme/ for up-to-date documentation.