8/31/2020 – Work in progress. Should be done by 9/3/2020
These instructions are for FreeBSD, but the only difference for Linux is how you install the needed packages for CertBot.
These instructions assume you already have a functioning BIND DNS server and understand what you are doing.
Generate a key:
ddns-keygen -z example.com
Take the output of ddns-keygen and add it to named.conf
key “” {
algorithm hmac-md5;
secret “N2/yD9J9N166TnZvAKdFFISIFHSPOAPAAWERBRBRJEKEU975SQ==”;
};
Anamed.conf and add the above key and allow Certbot to change your specific TXT values.
zone “example.com” in {
type master;
file “/usr/local/etc/namedb/master/example.com.zone”;
update-policy {
grant letsencrypt name _acme-challenge.example.com. txt;
grant letsencrypt name _acme-challenge.www.example.com. txt;
grant letsencrypt name _acme-challenge.mail.example.com. txt;
};
};
Restart/reload named via service named restart or rndc reload.
Install Certbot and dnsrfc2136 module:
pkg install py37-certbot-dns-rfc2136-1.5.0
Create a config file. I chose: /root/rfc2136.ini
With these values:
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_name = letsencrypt
dns_rfc2136_secret = N2/yD9J9N166TnZvU975SQ==
dns_rfc2136_algorithm = HMAC-MD5
Now generate your certificate:
certbot certonly –dns-rfc2136 –dns-rfc2136-credentials /root/rfc2136.ini -d www.example.com