From Newsgroup: comp.protocols.dns.bind
On 7/23/20 9:13 PM, Brett Delmage wrote:
To get this topic back on topic for this list:
When you are creating Let's Encrypt wildcard certificates you must use
a DNS authenticiation protocol with letsencrypt. I am using the
acme.sh client which was recommended for wildcard certificates. https://github.com/acmesh-official/acme.sh
If you are running your own nameserver you also need to enable dynamic updates so that the acme.sh client can create TXT records during
certificate acqusition and renewal.
However I have found that getting zone dynamic updates
(authentication, specifically) working with nsupdate (which acme.sh
uses) and BIND have been a PITA. I haven't been overly impressed with
the debug capabilities to help get nsupdate working properly.
Interesting, I wasn't aware of this. Looking at Manjaro's site again, I
found that their main website indeed uses a wildcard certificate while
the forum (which was affected by the certificate renewal issues if
memory serves me right) uses its own dedicated cert. Granted these
renewal issues were already a few years ago so perhaps they changed some things here and there by now.
I had heard of Let's Encrypt's wildcard certs but never looked further
into it. Would certainly be useful though, as subdomains are an easy way
to separate services. Unfortunately bacme (which I currently use)
doesn't seem to support the DNS-based ACME challenges. I've cloned the
acme.sh repository and will look further into it.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--- Synchronet 3.18a-Linux NewsLink 1.113