Letsencrypt let'sencrypt dns verification

i have been searching for using let'sencrypt verification for multi ip subdomain with diffrent ip (server) using same domain

so far find in the forum and community
Support for sub-domains and wildcard certificates - Server - Let's Encrypt Community Support

let'sencrypt client
GitHub - xenolf/lego: Let's Encrypt client and ACME library written in Go

there several dns provider including dnsmadeeasy for lego
lego/providers/dns at master · xenolf/lego · GitHub

i do not know how to implement lego to centminmod
anyone willing to help ?

---

 

another client for let'sencrypt
GitHub - lukas2511/dehydrated: letsencrypt/acme client implemented as a shell-script – just add water
several hook for dns-01 challange
dns challange without api using email hook

i'm not sure if this client can be use for verification with different ip in subdomain

 

thank you for answer

i was very interested finding a way to adding certificate for another ip or 2 ip same domain by dns verification

is this working for adding certificate to another ip server in same domain ?
or different ip server for subdomain in same domain

if working then will the same certificate can be use for two ip ?
one is www my domain.com mydomain.com
and the other for sub1.mydomain.com (different ip or different server) mapping by dnsmadeeasy in A record

 

yesterday i already test but with http verification with staging or fake cert

now is skipping dns verification

Code:

./acmetool.sh certonly-issue sub1.mydomain.com

------------------------------------------------------------------------------
Version Check:
------------------------------------------------------------------------------
!!!  there maybe a newer version of ./acmetool.sh available  !!!
https://community.centminmod.com/posts/34492/
update using centmin.sh menu option 23 submenu option 2

Always ensure Current Version is higher or equal to Latest Version
------------------------------------------------------------------------------
Current acmetool.sh Version: 1.0.11
Latest acmetool.sh Version: 1.0.1
------------------------------------------------------------------------------


-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://community.centminmod.com/posts/34492/
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
[Tue Oct 25 23:33:18 WIB 2016] Installing to /root/.acme.sh
[Tue Oct 25 23:33:18 WIB 2016] Installed to /root/.acme.sh/acme.sh
[Tue Oct 25 23:33:18 WIB 2016] Installing alias to '/root/.bashrc'
[Tue Oct 25 23:33:18 WIB 2016] OK, Close and reopen your terminal to start using acme.sh
[Tue Oct 25 23:33:19 WIB 2016] Installing alias to '/root/.cshrc'
[Tue Oct 25 23:33:19 WIB 2016] Installing alias to '/root/.tcshrc'
[Tue Oct 25 23:33:19 WIB 2016] Installing cron job
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Oct 25 23:33:19 WIB 2016] Good, bash is found, so change the shebang to use bash as prefered.
[Tue Oct 25 23:33:19 WIB 2016] OK
https://github.com/Neilpang/acme.sh
v2.6.2
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------

-----------------------------------------------------------
[DNS mode] issue & install letsencrypt ssl certificate for sub1.mydomain.com
-----------------------------------------------------------
testcert value =
/root/.acme.sh/acme.sh --staging --issue --force --dns -d sub1.mydomain.com -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-251016-233314.log --log-level 2
[Tue Oct 25 23:33:19 WIB 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Tue Oct 25 23:33:21 WIB 2016] Registering account
[Tue Oct 25 23:33:23 WIB 2016] Already registered
[Tue Oct 25 23:33:26 WIB 2016] Update success.
[Tue Oct 25 23:33:26 WIB 2016] Single domain='sub1.mydomain.com'
[Tue Oct 25 23:33:26 WIB 2016] Verify each domain
[Tue Oct 25 23:33:26 WIB 2016] Getting webroot for domain='sub1.mydomain.com'
[Tue Oct 25 23:33:26 WIB 2016] _w='dns'
[Tue Oct 25 23:33:26 WIB 2016] Getting new-authz for domain='sub1.mydomain.com'
[Tue Oct 25 23:33:28 WIB 2016] sub1.mydomain.com is already verified, skip.
[Tue Oct 25 23:33:28 WIB 2016] sub1.mydomain.com is already verified, skip dns-01.
[Tue Oct 25 23:33:28 WIB 2016] sub1.mydomain.com is already verified, skip dns-01.
[Tue Oct 25 23:33:28 WIB 2016] Dns not added, skip.
[Tue Oct 25 23:33:28 WIB 2016] Verify finished, start to sign.
[Tue Oct 25 23:33:31 WIB 2016] Cert success.
-----BEGIN CERTIFICATE-----
MIIE4zCCA8ugAwIBAgITAPparbsIYMWt9Ch4GRlKbiNDeDANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjEwMjUx
NTM0MDBaFw0xNzAxMjMxNTM0MDBaMBoxGDAWBgNVBAMTD3Nob3Aua2VlcC5jby5p
ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgYnqZzaSjlglhZBcmn
3+Mtqbm1lCvES+JpNc149cCZclDC60812aEKXGYrenAHmM3daZRlVm8PVynm3qO1
w6pLj95VMKA5DKmVaK+HhjW+jiYZR1rxk+bAUpWWZxB9dgdgHJ5DUDvBkbwtsS+0
2PcVqiRf0cbkpFWqCaRaFfiJOpjjDyBjTfTs3JicMjNU8BS9AK52mhImscq7Iz4g
IaaDrlKzoCwtR2QYcCf5NvRXliPyBlvQg2zcl4G2nRJJUq8YIp1/0bqeDGJHnlCb
iryhbsDMHsnnuoXzR9GNzv/xW/g33EsGJGUIt/sd77vlsaRKWydnBkhwJIUXbU7y
Ik8CAwEAAaOCAhgwggIUMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVW9KYvifd+cb
sXYCGwELdAe7p+cwHwYDVR0jBBgwFoAUwMwDRrlYIMxccnDz4S7LIKb1aDoweAYI
KwYBBQUHAQEEbDBqMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zdGctaW50LXgx
LmxldHNlbmNyeXB0Lm9yZy8wMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1p
bnQteDEubGV0c2VuY3J5cHQub3JnLzAaBgNVHREEEzARgg9zaG9wLmtlZXAuY28u
aWQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYG
CCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUH
AgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9u
IGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGgg
dGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNy
eXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAZw+pZnImdL5U
gn3euTgkY3sDOnWxK2cYXyyMZdlpbHuw5fhsEAPX05WPWN/0GLdCMtbcqwQ1NsUV
Lh1zboEMn95jedJPDw8xrpfj2gsAc6F7mUZeyyQwzLz8jq+ucIycC38OoKGQ6wwF
4qj8LKAsvqw/OF0MWHW0cYuw75HIR293BcelRLmcxxAMs6Bw0QBls2WKmEhbnwU4
yyAQwWQsXEIkm8UqomB2CytNGsNY9GKTgW4HIVJ04JF8td/kQegTYfPCIom3lRUV
1ELdqyB3F3QbISdtlnxg6i1Ju+e2ZCr44b6Dov6TguArexbms4JbZnbMjyy7YPXn
o0giXeICiA==
-----END CERTIFICATE-----
[Tue Oct 25 23:33:31 WIB 2016] Your cert is in  /root/.acme.sh/sub1.mydomain.com/sub1.mydomain.com.cer
[Tue Oct 25 23:33:31 WIB 2016] Your cert key is in  /root/.acme.sh/sub1.mydomain.com/sub1.mydomain.com.key
[Tue Oct 25 23:33:31 WIB 2016] The intermediate CA cert is in  /root/.acme.sh/sub1.mydomain.com/ca.cer
[Tue Oct 25 23:33:31 WIB 2016] And the full chain certs is there:  /root/.acme.sh/sub1.mydomain.com/fullchain.cer

---------------------------------
 DNS mode requires manual steps below
---------------------------------

how to remove staging of fake certificate ?
i try this code in ssh
acme.sh --renew -d sub1.mydomain.com
but Skip, Next renewal time is: Sat Dec 24 16:33:31 UTC 2016

Code:

[sub1@mydomain addons]# /root/.acme.sh/acme.sh --renew -d sub1.mydomain.com
[Tue Oct 25 23:35:01 WIB 2016] Renew: 'sub1.mydomain.com'
[Tue Oct 25 23:35:01 WIB 2016] Skip, Next renewal time is: Sat Dec 24 16:33:31 UTC 2016
[Tue Oct 25 23:35:01 WIB 2016] Add '--force' to force to renew.

 

it is valid because i already add live for mydomain.com throught http verification
the problem now i want to add sub1.mydomain.com and it's different ip or map with A record in dnsmadeesy

what ssh code to use ?

to update dns in acme.sh

Code:

acme.sh --issue --dns -d mydomain.com -d www.mydomain.com -d sub1.mydomain.com

for acmetool.sh certonly-issue how do i add mydomain.com , www mydomain.com , sub1.mydomain.com ?

 

first part ssh code

Code:

./acmetool.sh certonly-issue  mydomain.com,sub1.mydomain.com

Version Check:
------------------------------------------------------------------------------
!!!  there maybe a newer version of ./acmetool.sh available  !!!
https://community.centminmod.com/posts/34492/
update using centmin.sh menu option 23 submenu option 2

Always ensure Current Version is higher or equal to Latest Version
------------------------------------------------------------------------------
Current acmetool.sh Version: 1.0.13
Latest acmetool.sh Version: 1.0.12
------------------------------------------------------------------------------


-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://community.centminmod.com/posts/34492/
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
[Wed Oct 26 01:08:21 WIB 2016] Installing to /root/.acme.sh
[Wed Oct 26 01:08:21 WIB 2016] Installed to /root/.acme.sh/acme.sh
[Wed Oct 26 01:08:21 WIB 2016] Installing alias to '/root/.bashrc'
[Wed Oct 26 01:08:21 WIB 2016] OK, Close and reopen your terminal to start using acme.sh
[Wed Oct 26 01:08:21 WIB 2016] Installing alias to '/root/.cshrc'
[Wed Oct 26 01:08:21 WIB 2016] Installing alias to '/root/.tcshrc'
[Wed Oct 26 01:08:21 WIB 2016] Installing cron job
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Wed Oct 26 01:08:21 WIB 2016] Good, bash is found, so change the shebang to use bash as prefered.
[Wed Oct 26 01:08:21 WIB 2016] OK
https://github.com/Neilpang/acme.sh
v2.6.2
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
mydomain.com,sub1.mydomain.com

-----------------------------------------------------------
[DNS mode] issue & install letsencrypt ssl certificate for mydomain.com
-----------------------------------------------------------
testcert value =
/root/.acme.sh/acme.sh --staging --issue --force --dns -d mydomain.com -d sub1.mydomain.com -d www.mydomain.com -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-261016-010816.log --log-level 2
[Wed Oct 26 01:08:21 WIB 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Wed Oct 26 01:08:21 WIB 2016] mv /root/.acme.sh/account.key to /root/.acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Wed Oct 26 01:08:21 WIB 2016] mv /root/.acme.sh/account.json to /root/.acme.sh/ca/acme-staging.api.letsencrypt.org/account.json
[Wed Oct 26 01:08:22 WIB 2016] Registering account
[Wed Oct 26 01:08:23 WIB 2016] Registered
[Wed Oct 26 01:08:24 WIB 2016] Update success.
[Wed Oct 26 01:08:24 WIB 2016] Multi domain='DNS:sub1.mydomain.com,DNS:www.mydomain.com'
[Wed Oct 26 01:08:25 WIB 2016] Verify each domain
[Wed Oct 26 01:08:25 WIB 2016] Getting webroot for domain='mydomain.com'
[Wed Oct 26 01:08:25 WIB 2016] _w='dns'
[Wed Oct 26 01:08:25 WIB 2016] Getting new-authz for domain='mydomain.com'
[Wed Oct 26 01:08:26 WIB 2016] Getting webroot for domain='sub1.mydomain.com'
[Wed Oct 26 01:08:26 WIB 2016] _w='dns'
[Wed Oct 26 01:08:26 WIB 2016] Getting new-authz for domain='sub1.mydomain.com'
[Wed Oct 26 01:08:27 WIB 2016] Getting webroot for domain='www.mydomain.com'
[Wed Oct 26 01:08:27 WIB 2016] _w='dns'
[Wed Oct 26 01:08:27 WIB 2016] Getting new-authz for domain='www.mydomain.com'
[Wed Oct 26 01:08:28 WIB 2016] Add the following TXT record:
[Wed Oct 26 01:08:28 WIB 2016] Domain: '_acme-challenge.mydomain.com'
[Wed Oct 26 01:08:28 WIB 2016] TXT value: 'swjKVy2_JYd5IN6YlUaP--7EadogNGJVxzI9wWJtskM'
[Wed Oct 26 01:08:28 WIB 2016] Please be aware that you prepend _acme-challenge. before your domain
[Wed Oct 26 01:08:28 WIB 2016] so the resulting subdomain will be: _acme-challenge.mydomain.com
[Wed Oct 26 01:08:28 WIB 2016] Add the following TXT record:
[Wed Oct 26 01:08:28 WIB 2016] Domain: '_acme-challenge.sub1.mydomain.com'
[Wed Oct 26 01:08:28 WIB 2016] TXT value: 'Unj0wVEP-3B22218KCs4wsHtrHSEVmr0D5a6M1GFQSI'
[Wed Oct 26 01:08:28 WIB 2016] Please be aware that you prepend _acme-challenge. before your domain
[Wed Oct 26 01:08:28 WIB 2016] so the resulting subdomain will be: _acme-challenge.sub1.mydomain.com
[Wed Oct 26 01:08:28 WIB 2016] Add the following TXT record:
[Wed Oct 26 01:08:28 WIB 2016] Domain: '_acme-challenge.www.mydomain.com'
[Wed Oct 26 01:08:28 WIB 2016] TXT value: 'E7BOWaXzSmOjA3KP-22_MfjS4WWFTtLiYHzngkCV9gk'
[Wed Oct 26 01:08:28 WIB 2016] Please be aware that you prepend _acme-challenge. before your domain
[Wed Oct 26 01:08:28 WIB 2016] so the resulting subdomain will be: _acme-challenge.www.mydomain.com
[Wed Oct 26 01:08:28 WIB 2016] Please add the TXT records to the domains, and retry again.
[Wed Oct 26 01:08:28 WIB 2016] Dns not added, skip.
[Wed Oct 26 01:08:28 WIB 2016] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-010816.log

---------------------------------
 DNS mode requires manual steps below
---------------------------------
 Add the following TXT record:
 Domain: '_acme-challenge.mydomain.com'
 TXT value: 'swjKVy2_JYd5IN6YlUaP--7EadogNGJVxzI9wWJtskM'
 Please be aware that you prepend _acme-challenge. before your domain
 Add the following TXT record:
 Domain: '_acme-challenge.sub1.mydomain.com'
 TXT value: 'Unj0wVEP-3B22218KCs4wsHtrHSEVmr0D5a6M1GFQSI'
 Please be aware that you prepend _acme-challenge. before your domain
 Add the following TXT record:
 Domain: '_acme-challenge.www.mydomain.com'
 TXT value: 'E7BOWaXzSmOjA3KP-22_MfjS4WWFTtLiYHzngkCV9gk'
 Please be aware that you prepend _acme-challenge. before your domain
 Dns not added, skip.
 Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-010816.log
 Once DNS updated for mydomain.com, run SSH command:
---------------------------------
  /root/.acme.sh/acme.sh --force --renew -d mydomain.com -d sub1.mydomain.com -d www.mydomain.com
---------------------------------
 SSL certs will be located : /root/.acme.sh/mydomain.com

 If want to install cert into Nginx vhost, run SSH command:
---------------------------------
  /root/.acme.sh/acme.sh --installcert -d mydomain.com -d sub1.mydomain.com -d www.mydomain.com --certpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key --capath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme. key
---------------------------------
 SSL certs will be installed at : /usr/local/nginx/conf/ssl/mydomain.com/

add txt record in domain

Code:

name
_acme-challenge.mydomain.com
value
swjKVy2_JYd5IN6YlUaP--7EadogNGJVxzI9wWJtskM
ttl 1800
name
_acme-challenge.sub1.mydomain.com
value
Unj0wVEP-3B22218KCs4wsHtrHSEVmr0D5a6M1GFQSI
ttl 1800
name
_acme-challenge.www.mydomain.com
value
E7BOWaXzSmOjA3KP-22_MfjS4WWFTtLiYHzngkCV9gk
ttl 1800

re run code ssh

Code:

/root/.acme.sh/acme.sh --force --renew -d mydomain.com -d sub1.mydomain.com -d www.mydomain.com

[Wed Oct 26 01:33:27 WIB 2016] Renew: 'mydomain.com'
[Wed Oct 26 01:33:27 WIB 2016] Creating account key
[Wed Oct 26 01:33:27 WIB 2016] Registering account
[Wed Oct 26 01:33:29 WIB 2016] Registered
[Wed Oct 26 01:33:30 WIB 2016] Update success.
[Wed Oct 26 01:33:30 WIB 2016] Multi domain='DNS:sub1.mydomain.com,DNS:www.mydomain.com'
[Wed Oct 26 01:33:30 WIB 2016] Verify each domain
[Wed Oct 26 01:33:30 WIB 2016] Verifying:mydomain.com
[Wed Oct 26 01:33:31 WIB 2016] mydomain.com:Challenge error: {"type":"urn:acme:error:unauthorized","detail":"User registration ID doesn't match registration ID in authorization","status": 403}
[Wed Oct 26 01:33:31 WIB 2016] Dns not added, skip.
[Wed Oct 26 01:33:31 WIB 2016] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-261016-010816.log

gist github

 

dns txt record only v=spf1 a include:_spf.google.com ~all
and other _acme-challenge.mydomain.com ,_acme-challenge.sub1.mydomain.com,_acme-challenge .www. mydomain.com not appear at Global DNS Propagation Checker - What's My DNS?

 

command line in ssh ? or through whatsmydns.net in txt record

only appear first line txt record in whatsmydns.net txt record
v=spf1 a include:_spf.google.com ~all
second line not appear in whatsmydns.net txt record
_acme-challenge.mydomain.com
third line not appear
_acme-challenge.sub1.mydomain.com
fourth line not appear
_acme-challenge.www. mydomain.com

 

already check
only first line appear at txt record at whatsmydns.net

Code:

v=spf1 a include:_spf.google.com ~all

second line , third line and fourth line not appear , where i put letsencrypt challenge there
both ip are fine in A record check