challenges.addr.tools - dns-01 ACME challenge helper zone
$ curl 'https://challenges.addr.tools/?secret=1SuperSecretPassphrase&txt=foo' OK
$ curl -d 'secret=1SuperSecretPassphrase' -d 'txt=foo' https://challenges.addr.tools OK
$ sha224=$(echo -n '1SuperSecretPassphrase' | shasum -a 224 | cut -c 1-56) $ dig $sha224.challenges.addr.tools txt +short "foo"
The DNS zone challenges.addr.tools is meant to ease the use of dns-01 ACME challenges in automated or batch TLS certificate issuance from certificate authorities such as Let's Encrypt.
Let challenge be a dns-01 ACME challenge validation string, secret be a strong password, and sha224 be the SHA-224 hash of secret.
A GET, POST, or PUT request to https://challenges.addr.tools
with secret=secret
and txt=challenge
specified as URL query parameters or, alternatively for POST and PUT
requests, as form values will temporarily add challenge as a TXT record to the domain
sha224.challenges.addr.tools
. Responds with body OK
and status code
201
on success.
A GET, POST, or PUT to https://challenges.addr.tools
with only secret=secret
specified responds with body sha224.challenges.addr.tools
and makes no update.
sha224.challenges.addr.tools
is meant to be the target of a CNAME at your "_acme-challenge"
subdomain.
Remember to properly encode your secret value in your requests if it contains special characters. See curl's "--data-urlencode" option.
Say you want to obtain a wildcard TLS certificate for example.com from Let's Encrypt using Certbot.
First, pick a strong password. We'll use "1SuperSecretPassphrase", but you shouldn't.
Add a CNAME record to point _acme-challenge.example.com to the subdomain of challenges.addr.tools named by calculating the SHA-224 hash of "1SuperSecretPassphrase". This should look similar to:
Name: | _acme-challenge.example.com |
---|---|
Type: | CNAME |
Target: | 9afcdffa0d7a6d6f0140cadea70a9f62d58a96dd5d50f268086ca968.challenges.addr.tools |
Now when Let's Encrypt queries _acme-challenge.example.com for the challenge TXT record, they will follow the CNAME to 9afcdf…6ca968.challenges.addr.tools. We can give Certbot a command to automatically add the challenge TXT record to that subdomain:
$ certbot certonly \ --manual \ --manual-auth-hook 'curl "https://challenges.addr.tools/?secret=1SuperSecretPassphrase&txt=$CERTBOT_VALIDATION"' \ --preferred-challenges dns \ -d example.com \ -d '*.example.com'