Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:acme_auto [2021/11/04 21:35]
adminjp [ACME]
+++ docpublic:systemes:acme_auto [2021/12/27 21:17] (current)
adminjp [clé DDNS API gandi]
@@ Line 1: / Line 1: @@
-===== ACME ====
+===== ACME DNS-01 ====
+Demonstration de l'usage de l'API LiveDNS de Gandi pour generer automatiquement une validation de requete de certificat au travers d'un defis (challenge) ACME de type DNS-01 .
 ==== acme.sh ====
+installation
+  * https://github.com/acmesh-official/acme.sh/wiki/How-to-install
 <code>
@@ Line 27: / Line 31: @@
 À ce stade, le client est installé dans /root/.acme.sh/ et nulle part ailleurs.
+==== clé DDNS API gandi ====
+  * https://doc.livedns.gandi.net/
+  * https://api.gandi.net/docs/
+  * https://api.gandi.net/docs/livedns/
+Générer une clé API sur https://account.gandi.net/fr/ dans l'onglet Sécurité
+[root@vps ~]# export GANDI_LIVEDNS_KEY="SECRETSECRETKEY"
+==== passage en LiveDNS Gandi ====
+si le domaine est ancien, il est probablemnt sur les anciens serveur de noms gandi (non dynamiques) :
+  - a.dns.gandi.net
+  - b.dns.gandi.net
+  - c.dns.gandi.net
+passage en dynamique :
+{{:docpublic:systemes:gandi-passage-domaine-livedns2021-11-04_23-39-00.png|}}
+==== register email ====
+<code>
+[root@vps ~]#  ~/.acme.sh/acme.sh --register-account -m admin@domain.fr
+[jeu. nov.  4 22:45:12 CET 2021] No EAB credentials found for ZeroSSL, let's get one
+[jeu. nov.  4 22:45:13 CET 2021] Registering account: https://acme.zerossl.com/v2/DV90
+[jeu. nov.  4 22:45:14 CET 2021] Registered
+[jeu. nov.  4 22:45:14 CET 2021] ACCOUNT_THUMBPRINT='secret-SECRET-SE-K__CRET'
+</code>
+==== packages curl et jq ====
+pour lancer les requetes web en cli et parser du json nous avons besoin de ces 2 packages
+<code>
+[root@vps ~]# yum install curl jq
+</code>
+==== parametres API Gandi ====
+On postionne les vrariables shell necessaires à l'appel de l'API LiveDNS de Gandi
+<code>
+#recuperer notre adresse IP depuis les servers Akamai
+MY_IP=$(curl -s http://whatismyip.akamai.com/)
+# Gandi livedn API KEY
+APIKEY="................."
+# Domain static hebergé chez Gandi
+DOMAIN="mondomain.fr"
+# Dynamic Subdomain
+SUBDOMAIN="acme"
+#Get the current Zone for the provided domain
+CURRENT_ZONE_HREF=$(curl -s -H "X-Api-Key: $APIKEY" https://dns.api.gandi.net/api/v5/domains/$DOMAIN | jq -r '.zone_records_href')
+# Update the A reccord of the Dynamic Subdomain by PUTing on the current zone
+curl -D- -X PUT -H "Content-Type: application/json" \
+        -H "X-Api-Key: $APIKEY" \
+        -d "{\"rrset_name\": \"$SUBDOMAIN\",
+             \"rrset_type\": \"A\",
+             \"rrset_ttl\": 1200,
+             \"rrset_values\": [\"$MY_IP\"]}" \
+        $CURRENT_ZONE_HREF/$SUBDOMAIN/A
+</code>
+==== exemple d'excution ====
+exemple complet d'execution
+<code>
+[root@vps ~]#  ~/.acme.sh/acme.sh --dns dns_gandi_livedns --issue --keylength 2048 -d wp.mondomain.fr
+[lun. nov.  8 22:05:41 CET 2021] Using CA: https://acme.zerossl.com/v2/DV90
+[lun. nov.  8 22:05:41 CET 2021] Single domain='wp.mondomain.fr'
+[lun. nov.  8 22:05:41 CET 2021] Getting domain auth token for each domain
+[lun. nov.  8 22:05:44 CET 2021] Getting webroot for domain='wp.mondomain.fr'
+[lun. nov.  8 22:05:44 CET 2021] Adding txt value: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain:  _acme-challenge.wp.mondomain.fr
+[lun. nov.  8 22:05:47 CET 2021] Adding record success
+[lun. nov.  8 22:05:47 CET 2021] The txt record is added: Success.
+[lun. nov.  8 22:05:47 CET 2021] Let's check each DNS record now. Sleep 20 seconds first.
+[lun. nov.  8 22:06:08 CET 2021] You can use '--dnssleep' to disable public dns checks.
+[lun. nov.  8 22:06:08 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
+[lun. nov.  8 22:06:08 CET 2021] Checking wp.mondomain.fr for _acme-challenge.wp.mondomain.fr
+[lun. nov.  8 22:06:08 CET 2021] Domain wp.mondomain.fr '_acme-challenge.wp.mondomain.fr' success.
+[lun. nov.  8 22:06:08 CET 2021] All success, let's return
+[lun. nov.  8 22:06:08 CET 2021] Verifying: wp.mondomain.fr
+[lun. nov.  8 22:06:09 CET 2021] Processing, The CA is processing your order, please just wait. (1/30)
+[lun. nov.  8 22:06:12 CET 2021] Success
+[lun. nov.  8 22:06:12 CET 2021] Removing DNS records.
+[lun. nov.  8 22:06:12 CET 2021] Removing txt: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain: _acme-challenge.wp.domain.fr
+[lun. nov.  8 22:06:13 CET 2021] Removing record success
+[lun. nov.  8 22:06:13 CET 2021] Removed: Success
+[lun. nov.  8 22:06:13 CET 2021] Verify finished, start to sign.
+[lun. nov.  8 22:06:13 CET 2021] Lets finalize the order.
+[lun. nov.  8 22:06:13 CET 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw/finalize'
+[lun. nov.  8 22:06:14 CET 2021] Order status is processing, lets sleep and retry.
+[lun. nov.  8 22:06:14 CET 2021] Retry after: 15
+[lun. nov.  8 22:06:30 CET 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw
+[lun. nov.  8 22:06:31 CET 2021] Downloading cert.
+[lun. nov.  8 22:06:31 CET 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/IHUd8SECRET-SECRETuyQ'
+[lun. nov.  8 22:06:32 CET 2021] Cert success.
+-----BEGIN CERTIFICATE-----
+MIIGbjCCBFagAwIBAgIQXCJ7bhctS2//O7AEKEyxjSECRETTTTTTTTTTTTTTTTTT
+MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
+TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTEwODAwMDAwMFoXDTIy
+MDIwNjIzNTk1OVowGzEZMBcGA1UEAxMQZHdwLmFkYXZvY2F0cy5mcjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFs/ZO6adqnKMoiU+6PHL1DTRLqAS1I
+hBbZelSxne8KsvRa5PJEzDWU4FqBwm0Taw5qjqc038Zjx3RY7u6hPsbNiEhEHI8
+....
+ZXekr3ynlDwTnwUU3YH5+puEorNDxX8X+wl9l3rAMS3AsVpwm4YgFVLgcWTwoq7Q
+mxpL5qTsrSmrn7iaAqFr+3v0GBFLley2j6FHaQnPuvMoVmPK0hliJGGkAer2HZab
+cYkq9EZdfAswZX5UYTLNBHcYX0eqYM1ZDFpIF69piusa1rS0BPWaTTo+rIvkiefO
+DYRjQRD0hnFd34oTW7J/wo4BZK0Mz+tBq7eDOxR0KM3oUaLg/C+QSECRETTTTTTT
+xETgUMXEPkdtUPmM4AJvQYXk
+-----END CERTIFICATE-----
+[lun. nov.  8 22:06:32 CET 2021] Your cert is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.cer
+[lun. nov.  8 22:06:32 CET 2021] Your cert key is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.key
+[lun. nov.  8 22:06:32 CET 2021] The intermediate CA cert is in: /root/.acme.sh/wp.mondomain.fr/ca.cer
+[lun. nov.  8 22:06:32 CET 2021] And the full chain certs is there: /root/.acme.sh/wp.mondomain.fr/fullchain.cer
+</code>
 ==== references ====
   * https://blog.tetsumaki.net/articles/2017/06/generation-des-certificats-lets-encrypt-par-challenge-dns-avec-le-client-acmesh.html
+  * https://nextnet.top/content/using-gandi-livedns-dynamic-dns-server
   * https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/
   * https://www.palabritudes.net/2018/03/11/certbot-challenge-dns-gandi-ovh.html
+  * https://www.heelpbook.net/2021/getting-lets-encrypt-certificate-using-dns-01-challenge-with-acme-dns-certbot-joohoi-or-acme-sh/
   * https://smallstep.com/blog/the-embarrassing-state-of-enterprise-acme/

docpublic/systemes/acme_auto.1636061742.txt.gz · Last modified: 2021/11/04 21:35 by adminjp

Show page Old revisions

[unknown link type]Back to top