CHALLENGES.ADDR.TOOLS.

Domain Name System
CHALLENGES.ADDR.TOOLS.

NAME

challenges.addr.tools - dns-01 ACME challenge helper zone

SYNOPSIS

$ curl 'https://challenges.addr.tools/?secret=1SuperSecretPassphrase&txt=foo' OK

$ curl -d 'secret=1SuperSecretPassphrase' -d 'txt=foo' https://challenges.addr.tools OK

$ sha224=$(echo -n '1SuperSecretPassphrase' | shasum -a 224 | cut -c 1-56) $ dig $sha224.challenges.addr.tools txt +short "foo"

DESCRIPTION

The DNS zone challenges.addr.tools is meant to ease the use of dns-01 ACME challenges in automated or batch TLS certificate issuance from certificate authorities such as Let's Encrypt.

USAGE

Let challenge be a dns-01 ACME challenge validation string, secret be a strong password, and sha224 be the SHA-224 hash of secret.

A GET, POST, or PUT request to https://challenges.addr.tools with secret=secret and txt=challenge specified as URL query parameters or, alternatively for POST and PUT requests, as form values will temporarily add challenge as a TXT record to the domain sha224.challenges.addr.tools. Responds with body OK and status code 201 on success.

A GET, POST, or PUT to https://challenges.addr.tools with only secret=secret specified responds with body sha224.challenges.addr.tools and makes no update.

sha224.challenges.addr.tools is meant to be the target of a CNAME at your "_acme-challenge" subdomain.

Remember to properly encode your secret value in your requests if it contains special characters. See curl's "--data-urlencode" option.

EXAMPLE

Say you want to obtain a wildcard TLS certificate for example.com from Let's Encrypt using Certbot.

First, pick a strong password. We'll use "1SuperSecretPassphrase", but you shouldn't.

Add a CNAME record to point _acme-challenge.example.com to the subdomain of challenges.addr.tools named by calculating the SHA-224 hash of "1SuperSecretPassphrase". This should look similar to:

Name: _acme-challenge.example.com
Type: CNAME
Target: 9afcdffa0d7a6d6f0140cadea70a9f62d58a96dd5d50f268086ca968.challenges.addr.tools

Now when Let's Encrypt queries _acme-challenge.example.com for the challenge TXT record, they will follow the CNAME to 9afcdf…6ca968.challenges.addr.tools. We can give Certbot a command to automatically add the challenge TXT record to that subdomain:

$ certbot certonly \ --manual \ --manual-auth-hook 'curl "https://challenges.addr.tools/?secret=1SuperSecretPassphrase&txt=$CERTBOT_VALIDATION"' \ --preferred-challenges dns \ -d example.com \ -d '*.example.com'

SEE ALSO

addr.tools