我需要 Exim 的 TLS 证书,而不是网站。对于不使用网络服务器的人,Let's Encrypt 通过所谓的 DNS-01 质询提供证书。这真的很简单,一个钩子脚本会使用 TXT 质询 RR 动态更新 BIND 的区域,然后 Let's Encrypt 会使用该 RR 来验证证书请求。
这一切都取决于 BIND 中的 DDNS 更新。我有以下区域配置:
zone "example.com" IN {
type master;
notify yes;
allow-query { "any"; };
file "/etc/bind/example.com.zone";
update-policy {
grant ddns-key zonesub ANY;
};
};
然后我使用dehydrated客户端发出证书请求、获取证书签名等。dehydrated使用一个钩子脚本动态添加带有域质询的 TXT 记录:
% dehydrated -c --domain example.com -t dns-01 -k /myhook.sh
# INFO: Using main config file /etc/dehydrated/config
Processing example.com
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for example.com
+ 1 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for example.com authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9027433651/.....",
"token": "g_zU3NXkYwjt2LrRm3Yo33O22BFPLRvl......"
})
钩子脚本基于https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script。
如果我检查 TXT 记录是否存在(在dehydrated尝试删除它之前),它确实不存在:
dig TXT _acme-challenge.example.com @inet.example.com
...NXDOMAIN
BIND 在日志中写入一行相关内容:
02-Dec-2020 20:21:56.089 update: info: client 10.5.1.181#49440/key ddns-key: updating zone 'example.com/IN': adding an RR at '_acme-challenge.example.com' TXT "GLuKNhJkt3MJ4refRS_nkL9BRBbqXSl4a3QytkGfY64"
就是这样。没有其他内容了,尽管我已经提高了日志记录级别以进行调试。TXT 记录没有出现,没有错误消息,什么都没有。
我怎样才能修复这个问题?
操作系统:Debian 9。BIND 版本:9.10。
% named -V
BIND 9.10.3-P4-Debian <id:ebd72b3>
built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-3gVwXu/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.0.2u 20 Dec 2019
linked to OpenSSL version: OpenSSL 1.0.2u 20 Dec 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
更新
我发现了一些东西,这似乎与 BIND 正在监听的 IP/接口有关。当我使用外部可见的名称服务器时example.com,我使用以下nsupdate命令会遭到拒绝:
% nsupdate -k /etc/exim4/ddns.key < /tmp/s
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
% cat /tmp/s
server inet.example.com
add _acme-challenge.example.com 1010001 in TXT "abc"
send
但是,我没有收到错误,TXT 记录做使用以下命令插入nsupdate:
server 10.0.0.1
add _acme-challenge.example.com 1010001 in TXT "abc"
send