DNS-01 Validation using Script and WIN-Acme Script Question

I'd like to see about using DNS-01 Validation for Let's Encrypt in order to get SSL's in a Development environment (STAGE, really).

I like the program Win-ACME (since I'm running this on Windows Server 2016 machines) and when I wrote up a question in GitHub I was taken to this page: https://github.com/PKISharp/win-acme/wiki/Validation-plugins#dns-01-validation

I am not using Azure, so logically I'd use the "Script" portion.

"Run external program/script to create and update records.
One create script should be provided that accepts three parameters.
Hostname that's being validated
Name of the TXT record to create
Content of the TXT record to create
One delete script should be provided that accepts two parameters.
Hostname that's being validated
Name of the TXT record to delete
Unattended --validationmode dns-01 --dnscreatescript C:\create-dns.bat --dnsdeletescript C:\delete-dns.bat --validation dnsscript"

How do I write out the "create-dns.bat" and "delete-dns.bat" files? Does anyone have any examples they could share? Could it be written in BIND?
TessandoIT AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
For BIND you need the nsupdate  program part of the bind-toolkit.
with the right credentials & parameters it should work for you...

Isn't certbot ported to windows? Certbot (0.23+) has a lot of plugins added esp. for DNS-01  authentication method.
0
TessandoIT AdministratorAuthor Commented:
Well, I'm just guessing at BIND. Since Lets Encrypt is written in ACME, perhaps that's what I should write those scripts in. Anyone have experience with this?
0
nociSoftware EngineerCommented:
ACME is the low level API for certificate requests. Certbot is one of the implementations using ACME, Win-ACME seems like anotherone.
certbot is able to automate a lot around certificate renewal.  certbot uses plugins for a few dozens of DNS servers
(like amazon, powerdns,... and also BIND)

What is needed is that after you logged on to the API, and request a renewal, you get a challenge string from the LE. servers, this needs to be entered into DNS, then LE servers need to get a signal all is ready and they do a DNS query..,
This happens for each of the Subjects & Subject Alternate Names on the certificate. for each of the correctly returned challenges the name is put on the certificate.

I had an ugly scripted (hack really, using nsupdate) version ready just before dns-01 became deployed, then i found the dns plugin library ready for certbot 0.22+... (it was missing a use case that was used in a lot of scripting for which i proposed a change, which was accepted in 0.23+)

So Does Win-ACME have hooks (I have no windows systems..., so i have to ask) that can run code after receiving the challenge and before the query.  that can run "some update tool" [ nsupdate for BIND...], SQL queries for others, on windows probably some powershell to interface with DC-DNS.  How would Win-ACME signal the LE server the challenge is placed..., and how would the challenge be removed...

Short search in certbot learned there is someone that made a windows IIS & DNS integration: it was started as an attempt to port certbot + IIS plugin to windows, but became a PowerShell integration in stead.
https://github.com/ebekker/ACMESharp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TessandoIT AdministratorAuthor Commented:
Thank you for this thorough history of Let's Encrypt. In these few paragraphs you cleared up a bunch of confusion for me. Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.