rfc2136 support?

#1
Hello,

In researching lets encrypt and dynamic dns, I have learned a lot about rfc2136. I just looked at zoneedit's dynamic dns information: but it leaves a pertinant question unresolved: does zoneedit's dynamic dns use RFC2136?

If so, that seems a shoe-in for pfsense's version of let's encrypt: it has the option ns-update (rfc2136)...

If rfc2136 is supported, I would be happy to provide scripting information for using nsupdate.

Thank you for your time...

--jason
 

sandy neal

Administrator
Staff member
#2
what records are required to be dynamically updated for lets encrypt? I was under the impression that it was a record other then an IP update.

thanks
sandy
 
#3
"txt" records are what lets encrypt looks for. The prefix acme uses is _acme-challenge.<fqdn>.

ISC's BIND uses tsig to allow/deny updates.

So in my case, acme would be pushing new records every 60 days or so such as:

_acme-challenge.mydomain.tld. 7200 IN TXT "_63xxxxxe7q8d28H5dJhntJl_0ET5CsxwdD7Buow-o"

--jason
 

sandy neal

Administrator
Staff member
#4
we will have an API available soon that will allow TXT record updates.. for dynamic updates.. at present that is for P address only

thanks and take care
sandy
 
#9
+1. This is now holding up providing certificates to multiple project for us. For non *nix host, there is no alternative to dns based renewal. Manually updating TXT records is not practical. Would appreciate priority to this item.
 

sdas2

New Member
#11
Hi @sandy neal,
any update on the dynamic/automatic TXT entry yet? I also use ACME client on pfSense and it's failed to add/update the _acme-challenge.<fqdn> TXT record, hence getting error/warning all over the places. Is there anyway you can help us?
 

sdas2

New Member
#13
hummm............ that's a bit inconvenient for us, as users.
Any idea when we might see that working? Any particular issue (technical or otherwise) that you guys having difficulty to deal with (if you like to share)?

Question to others:
How others are using lets encrypt on pfSense (apart from opening up port 80) as Zoneedit cannot be any helpful at this point of time?

-San
 
Top