CHALLENGES.ADDR.TOOLS.

Domain Name System
CHALLENGES.ADDR.TOOLS.

NAME

challenges.addr.tools - dns-01 ACME challenge helper zone

SYNOPSIS

$ curl -d "foo" "https://challenges.addr.tools/1SuperSecretPassphrase" 9afcdffa…086ca968.challenges.addr.tools

$ dig 9afcdffa…086ca968.challenges.addr.tools txt +short "foo"

DESCRIPTION

The DNS zone "challenges.addr.tools" is meant to ease the use of dns-01 ACME challenges in automated or batch TLS certificate issuance from certificate authorities such as Let's Encrypt.

USAGE

Let ‹challenge› be a dns-01 ACME challenge validation string, ‹secret› be a random alphanumeric string (or Base64) of at least 14 characters in length, and ‹sha224› be the SHA-224 hash of ‹secret›.

A POST to "https://challenges.addr.tools/‹secret›" with request body "‹challenge›" will temporarily add ‹challenge› as a TXT record to the domain "‹sha224›.challenges.addr.tools". Responds with status code 201 on success.

A GET to "https://challenges.addr.tools/‹secret›" will respond with "‹sha224›.challenges.addr.tools".

"‹sha224›.challenges.addr.tools" is meant to be the target of a CNAME at your "_acme-challenge" subdomain.

EXAMPLE

Say you want to obtain a wildcard TLS certificate for example.com from Let's Encrypt using Certbot.

First, pick a random alphanumeric string. This string acts like a password and must be at least 14 characters long. We'll use "1SuperSecretPassphrase".

Add a CNAME record to point "_acme-challenge.example.com" to the subdomain of "challenges.addr.tools" named by calculating the SHA-224 of "1SuperSecretPassphrase". This should look similar to:

Name: _acme-challenge.example.com
Type: CNAME
Target: 9afcdffa0d7a6d6f0140cadea70a9f62d58a96dd5d50f268086ca968.challenges.addr.tools

Now when Let's Encrypt queries "_acme-challenge.example.com" for the challenge TXT record, they will follow the CNAME to "9afcdffa…086ca968.challenges.addr.tools". We can give Certbot a command to automatically add the challenge TXT record to that domain:

$ certbot certonly \ --manual \ --manual-auth-hook 'curl -d "$CERTBOT_VALIDATION" "https://challenges.addr.tools/1SuperSecretPassphrase"' \ --preferred-challenges dns \ -d example.com \ -d '*.example.com'

SEE ALSO

addr.tools