.. Open Infrastructure: service-tools .. Copyright (C) 2014-2021 Daniel Baumann .. .. SPDX-License-Identifier: GPL-3.0+ .. .. This program is free software: you can redistribute it and/or modify .. it under the terms of the GNU General Public License as published by .. the Free Software Foundation, either version 3 of the License, or .. (at your option) any later version. .. .. This program is distributed in the hope that it will be useful, .. but WITHOUT ANY WARRANTY; without even the implied warranty of .. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .. GNU General Public License for more details. .. .. You should have received a copy of the GNU General Public License .. along with this program. If not, see . =================== dehydrated-nsupdate =================== --------------------------------------- dehydrated hook for dns-01 verification --------------------------------------- :manual section: 1 :manual group: Open Infrastructure Synopsis ======== | **dehydrated-nsupdate** Description =========== **dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. The **dehydrated-nsupdate** hook implements the dns-01 verification. It is typically run together with **dehydrated-hook** as: | /etc/dehydrated/hook.d/deploy_challenge.nsupdate | /etc/dehydrated/hook.d/clean_challenge.nsupdate Features ======== **dehydrated-nsupdate** has the following features: | **automatic nameserver detection** | **dehydrated-nsupdate** automatically finds and updates all authoritative | nameservers for a given record by looking up the records in the DNS by itself. | **proper CNAME support** | **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to | another zone. | **handling nameserver subzone shortcuts** | **dehydrated-nsupdate** correctly handles authoritative nameserver | answers that give shortcut answers for their own zones when using | multiple subzones. | **TSIG support** | **dehydrated-nsupdate** uses TSIG, if provided, to authenticate | itself to the nameserver. | **proper removal of TXT records** | **dehydrated-nsupdate** removes records after succesfull verification. | **bind9-dnsutils and knot-dnsutils support* | **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot), | including support for kdigs out-of-tree json output. | **IDN handling** | **dehydrated-nsupdate** works with IDN domains by not expanding the punycode. Files ===== The following files are used: /etc/dehydrated/tsig.key: default location for the TSIG key to be used. /etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*: configuration file, currently only used for TSIG_KEYFILE variable pointing to the tsig.key file to be used (default: /etc/dehydrated/tsig.key). See also ======== | dehydrated(1), | dehydrated-cron(1), | dehydrated-hook(1). Homepage ======== More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List . Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= service-tools were written by Daniel Baumann and others.