Configuration of BIND
RFC 2136 is for Dynamic Updates in the Domain Name System. When RFC 2136 DNS Authenticator is used with Cerbot, a DNS Challenge is performed. BIND needs grants to accept this challenge. For example, the subdomain new implies to add a additional line is this part of configuration file:
zone "triaxx.org" {
update-policy {
grant "triaxx.org." name "_acme-challenge.triaxx.org." "txt";
grant "triaxx.org." name "_acme-challenge.foo.triaxx.org." "txt";
grant "triaxx.org." name "_acme-challenge.bar.triaxx.org." "txt";
grant "triaxx.org." name "_acme-challenge.new.triaxx.org." "txt";
};
};
Cerbot script
The subdomain new
certbot=/usr/pkg/bin/certbot
cred=/usr/pkg/etc/letsencrypt/triaxx.ini
email=certbot@triaxx.org
subdomains="foo bar new"
domain_arg="--domain triaxx.org"
for subdomain in ${subdomains} ; do
domain_arg="${domain_arg} --domain ${subdomain}.triaxx.org"
done
${certbot} certonly \
--non-interactive \
--agree-tos \
--email ${email} \
--dns-rfc2136 \
--dns-rfc2136-credentials ${cred} \
${domain_arg} \
--expand
done