Demonstration de l'usage de l'API LiveDNS de Gandi pour generer automatiquement une validation de requete de certificat au travers d'un defis (challenge) ACME de type DNS-01 .

installation

• https://github.com/acmesh-official/acme.sh/wiki/How-to-install

[root@vps ~]# mkdir acme
[root@vps ~]# cd acme
[root@vps acme]# wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[root@vps acme]# tar zxvf master.tar.gz
acme.sh-master/
acme.sh-master/.github/
[root@vps acme]# cd acme.sh-master/
[root@vps acme.sh-master]# ./acme.sh --install --nocron
[jeu. nov.  4 21:37:30 CET 2021] It is recommended to install socat first.
[jeu. nov.  4 21:37:30 CET 2021] We use socat for standalone server if you use standalone mode.
[jeu. nov.  4 21:37:30 CET 2021] If you don't use standalone mode, just ignore this warning.
[jeu. nov.  4 21:37:30 CET 2021] Installing to /root/.acme.sh
[jeu. nov.  4 21:37:30 CET 2021] Installed to /root/.acme.sh/acme.sh
[jeu. nov.  4 21:37:30 CET 2021] Installing alias to '/root/.bashrc'
[jeu. nov.  4 21:37:30 CET 2021] OK, Close and reopen your terminal to start using acme.sh
[jeu. nov.  4 21:37:30 CET 2021] Installing alias to '/root/.cshrc'
[jeu. nov.  4 21:37:30 CET 2021] Installing alias to '/root/.tcshrc'
[jeu. nov.  4 21:37:30 CET 2021] Good, bash is found, so change the shebang to use bash as preferred.
[jeu. nov.  4 21:37:31 CET 2021] OK

À ce stade, le client est installé dans /root/.acme.sh/ et nulle part ailleurs.

• https://doc.livedns.gandi.net/
• https://api.gandi.net/docs/
• https://api.gandi.net/docs/livedns/

Générer une clé API sur https://account.gandi.net/fr/ dans l'onglet Sécurité

[root@vps ~]# export GANDI_LIVEDNS_KEY=“SECRETSECRETKEY”

si le domaine est ancien, il est probablemnt sur les anciens serveur de noms gandi (non dynamiques) :

1. a.dns.gandi.net
2. b.dns.gandi.net
3. c.dns.gandi.net

passage en dynamique :

[root@vps ~]#  ~/.acme.sh/acme.sh --register-account -m admin@domain.fr
[jeu. nov.  4 22:45:12 CET 2021] No EAB credentials found for ZeroSSL, let's get one
[jeu. nov.  4 22:45:13 CET 2021] Registering account: https://acme.zerossl.com/v2/DV90
[jeu. nov.  4 22:45:14 CET 2021] Registered
[jeu. nov.  4 22:45:14 CET 2021] ACCOUNT_THUMBPRINT='secret-SECRET-SE-K__CRET'

pour lancer les requetes web en cli et parser du json nous avons besoin de ces 2 packages

[root@vps ~]# yum install curl jq

On postionne les vrariables shell necessaires à l'appel de l'API LiveDNS de Gandi

#recuperer notre adresse IP depuis les servers Akamai
MY_IP=$(curl -s http://whatismyip.akamai.com/)  

# Gandi livedn API KEY
APIKEY="................."

# Domain static hebergé chez Gandi 
DOMAIN="mondomain.fr"

# Dynamic Subdomain
SUBDOMAIN="acme"

#Get the current Zone for the provided domain
CURRENT_ZONE_HREF=$(curl -s -H "X-Api-Key: $APIKEY" https://dns.api.gandi.net/api/v5/domains/$DOMAIN | jq -r '.zone_records_href')

# Update the A reccord of the Dynamic Subdomain by PUTing on the current zone
curl -D- -X PUT -H "Content-Type: application/json" \
        -H "X-Api-Key: $APIKEY" \
        -d "{\"rrset_name\": \"$SUBDOMAIN\",
             \"rrset_type\": \"A\",
             \"rrset_ttl\": 1200,
             \"rrset_values\": [\"$MY_IP\"]}" \
        $CURRENT_ZONE_HREF/$SUBDOMAIN/A

exemple complet d'execution

[root@vps ~]#  ~/.acme.sh/acme.sh --dns dns_gandi_livedns --issue --keylength 2048 -d wp.mondomain.fr
[lun. nov.  8 22:05:41 CET 2021] Using CA: https://acme.zerossl.com/v2/DV90
[lun. nov.  8 22:05:41 CET 2021] Single domain='wp.mondomain.fr'
[lun. nov.  8 22:05:41 CET 2021] Getting domain auth token for each domain
[lun. nov.  8 22:05:44 CET 2021] Getting webroot for domain='wp.mondomain.fr'
[lun. nov.  8 22:05:44 CET 2021] Adding txt value: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain:  _acme-challenge.wp.mondomain.fr
[lun. nov.  8 22:05:47 CET 2021] Adding record success
[lun. nov.  8 22:05:47 CET 2021] The txt record is added: Success.
[lun. nov.  8 22:05:47 CET 2021] Let's check each DNS record now. Sleep 20 seconds first.
[lun. nov.  8 22:06:08 CET 2021] You can use '--dnssleep' to disable public dns checks.
[lun. nov.  8 22:06:08 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[lun. nov.  8 22:06:08 CET 2021] Checking wp.mondomain.fr for _acme-challenge.wp.mondomain.fr
[lun. nov.  8 22:06:08 CET 2021] Domain wp.mondomain.fr '_acme-challenge.wp.mondomain.fr' success.
[lun. nov.  8 22:06:08 CET 2021] All success, let's return
[lun. nov.  8 22:06:08 CET 2021] Verifying: wp.mondomain.fr
[lun. nov.  8 22:06:09 CET 2021] Processing, The CA is processing your order, please just wait. (1/30)
[lun. nov.  8 22:06:12 CET 2021] Success
[lun. nov.  8 22:06:12 CET 2021] Removing DNS records.
[lun. nov.  8 22:06:12 CET 2021] Removing txt: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain: _acme-challenge.wp.domain.fr
[lun. nov.  8 22:06:13 CET 2021] Removing record success
[lun. nov.  8 22:06:13 CET 2021] Removed: Success
[lun. nov.  8 22:06:13 CET 2021] Verify finished, start to sign.
[lun. nov.  8 22:06:13 CET 2021] Lets finalize the order.
[lun. nov.  8 22:06:13 CET 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw/finalize'
[lun. nov.  8 22:06:14 CET 2021] Order status is processing, lets sleep and retry.
[lun. nov.  8 22:06:14 CET 2021] Retry after: 15
[lun. nov.  8 22:06:30 CET 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw
[lun. nov.  8 22:06:31 CET 2021] Downloading cert.
[lun. nov.  8 22:06:31 CET 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/IHUd8SECRET-SECRETuyQ'
[lun. nov.  8 22:06:32 CET 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgIQXCJ7bhctS2//O7AEKEyxjSECRETTTTTTTTTTTTTTTTTT
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTEwODAwMDAwMFoXDTIy
MDIwNjIzNTk1OVowGzEZMBcGA1UEAxMQZHdwLmFkYXZvY2F0cy5mcjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFs/ZO6adqnKMoiU+6PHL1DTRLqAS1I
2hBbZelSxne8KsvRa5PJEzDWU4FqBwm0Taw5qjqc038Zjx3RY7u6hPsbNiEhEHI8
....
ZXekr3ynlDwTnwUU3YH5+puEorNDxX8X+wl9l3rAMS3AsVpwm4YgFVLgcWTwoq7Q
mxpL5qTsrSmrn7iaAqFr+3v0GBFLley2j6FHaQnPuvMoVmPK0hliJGGkAer2HZab
cYkq9EZdfAswZX5UYTLNBHcYX0eqYM1ZDFpIF69piusa1rS0BPWaTTo+rIvkiefO
DYRjQRD0hnFd34oTW7J/wo4BZK0Mz+tBq7eDOxR0KM3oUaLg/C+QSECRETTTTTTT
xETgUMXEPkdtUPmM4AJvQYXk
-----END CERTIFICATE-----
[lun. nov.  8 22:06:32 CET 2021] Your cert is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.cer
[lun. nov.  8 22:06:32 CET 2021] Your cert key is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.key
[lun. nov.  8 22:06:32 CET 2021] The intermediate CA cert is in: /root/.acme.sh/wp.mondomain.fr/ca.cer
[lun. nov.  8 22:06:32 CET 2021] And the full chain certs is there: /root/.acme.sh/wp.mondomain.fr/fullchain.cer

• https://blog.tetsumaki.net/articles/2017/06/generation-des-certificats-lets-encrypt-par-challenge-dns-avec-le-client-acmesh.html
• https://nextnet.top/content/using-gandi-livedns-dynamic-dns-server
• https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/
• https://www.palabritudes.net/2018/03/11/certbot-challenge-dns-gandi-ovh.html
• https://www.heelpbook.net/2021/getting-lets-encrypt-certificate-using-dns-01-challenge-with-acme-dns-certbot-joohoi-or-acme-sh/
• https://smallstep.com/blog/the-embarrassing-state-of-enterprise-acme/

clients

• https://letsencrypt.org/fr/docs/client-options/
• https://blog.keychest.net/acmev2-clients
• https://opensourcelibs.com/libs/acme-client