DNS-01 Validation using Script and WIN-Acme Script Question

I'd like to see about using DNS-01 Validation for Let's Encrypt in order to get SSL's in a Development environment (STAGE, really).

I like the program Win-ACME (since I'm running this on Windows Server 2016 machines) and when I wrote up a question in GitHub I was taken to this page: https://github.com/PKISharp/win-acme/wiki/Validation-plugins#dns-01-validation

I am not using Azure, so logically I'd use the "Script" portion.

"Run external program/script to create and update records.
One create script should be provided that accepts three parameters.
Hostname that's being validated
Name of the TXT record to create
Content of the TXT record to create
One delete script should be provided that accepts two parameters.
Hostname that's being validated
Name of the TXT record to delete
Unattended --validationmode dns-01 --dnscreatescript C:\create-dns.bat --dnsdeletescript C:\delete-dns.bat --validation dnsscript"

How do I write out the "create-dns.bat" and "delete-dns.bat" files? Does anyone have any examples they could share? Could it be written in BIND?
TessandoIT AdministratorAsked:
Who is Participating?
nociSoftware EngineerCommented:
ACME is the low level API for certificate requests. Certbot is one of the implementations using ACME, Win-ACME seems like anotherone.
certbot is able to automate a lot around certificate renewal.  certbot uses plugins for a few dozens of DNS servers
(like amazon, powerdns,... and also BIND)

What is needed is that after you logged on to the API, and request a renewal, you get a challenge string from the LE. servers, this needs to be entered into DNS, then LE servers need to get a signal all is ready and they do a DNS query..,
This happens for each of the Subjects & Subject Alternate Names on the certificate. for each of the correctly returned challenges the name is put on the certificate.

I had an ugly scripted (hack really, using nsupdate) version ready just before dns-01 became deployed, then i found the dns plugin library ready for certbot 0.22+... (it was missing a use case that was used in a lot of scripting for which i proposed a change, which was accepted in 0.23+)

So Does Win-ACME have hooks (I have no windows systems..., so i have to ask) that can run code after receiving the challenge and before the query.  that can run "some update tool" [ nsupdate for BIND...], SQL queries for others, on windows probably some powershell to interface with DC-DNS.  How would Win-ACME signal the LE server the challenge is placed..., and how would the challenge be removed...

Short search in certbot learned there is someone that made a windows IIS & DNS integration: it was started as an attempt to port certbot + IIS plugin to windows, but became a PowerShell integration in stead.
nociSoftware EngineerCommented:
For BIND you need the nsupdate  program part of the bind-toolkit.
with the right credentials & parameters it should work for you...

Isn't certbot ported to windows? Certbot (0.23+) has a lot of plugins added esp. for DNS-01  authentication method.
TessandoIT AdministratorAuthor Commented:
Well, I'm just guessing at BIND. Since Lets Encrypt is written in ACME, perhaps that's what I should write those scripts in. Anyone have experience with this?
TessandoIT AdministratorAuthor Commented:
Thank you for this thorough history of Let's Encrypt. In these few paragraphs you cleared up a bunch of confusion for me. Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.