I’m truly in love with LetsEncrypt. They are making it easy for anyone to setup SSL certification for their systems. If the system is internet facing then the LetsEncrypt script works just fine.  However for me I have a systems which are not public facing and yet I still would like them to have SSL Certificates.

Previously I ran my own Root Certificate and signing.  This of course works, but does require users install my Root Certificate.

As these systems are not public facing I need a different way to validate the certificates. As it turns out they have already thought of this.  The “getssl” script is able to update DNS records to prove ownership. So assuming you can update your public DNS server you can still create internal Certs.

To do this I created two little scripts one to add a record, and then another to remove it after it’s done it’s job.

dnsupdate.sh

#!/bin/bash
fulldomain="$1"
token="$2"
DNS_SRV="<DNS Server Address>"
DNS_ZONE="<DNS Zone>"
KEY_FILE="<key/keyfile.key>"
RNDC_KEY="key/rndc.key"
TTL="60"

txtname="_acme-challenge.$fulldomain."

RECORD="$txtname $TTL IN TXT $token"
echo "
server $DNS_SRV
zone $DNS_ZONE
update add $RECORD
send" |nsupdate -v -k $KEY_FILE

rndc -s $DNS_SRV -k $RNDC_KEY freeze
rndc -s $DNS_SRV -k $RNDC_KEY thaw

As you can see it’s a very simple script which uses rndc to update the DNS and publish the necessary text record which lets encrypt checks for to validate your domain.

dnsdelete.sh

#!/bin/bash
fulldomain="$1"
token="$2"
DNS_SRV="<DNS Server Address>"
DNS_ZONE="<ZONE>"
KEY_FILE="key/Keyfile.key"
RNDC_KEY="key/rndc.key"
TTL="300"

txtname="_acme-challenge.$fulldomain."
RECORD="$txtname $TTL TXT $token"
echo "
server $DNS_SRV
zone $DNS_ZONE
update delete $RECORD
send" |nsupdate -v -k $KEY_FILE

rndc -s $DNS_SRV -k $RNDC_KEY freeze
rndc -s $DNS_SRV -k $RNDC_KEY thaw

Simple, now I can create as many certificates as I want.